← Back to Blog
🦠

Ransomware: how to protect your company before the attack

⏱ 10 min min read · 📅 15/04/2025 · ✍️ Infomek Team

In 2024, Brazil was the 5th most attacked country by ransomware in the world. The average cost of an incident for Brazilian companies exceeds R$ 1.5 million when you add up operational downtime, recovery, fines and reputational damage. The good news: most successful attacks exploit basic flaws that are entirely preventable.

⚠️ Ransomware does not discriminate by size. Small businesses are frequent targets precisely because they have weaker defenses and a higher probability of paying the ransom.

How a ransomware attack works

Understanding the attack helps you build the right defense. Most modern attacks follow this path:

  1. Initial access: phishing email, compromised credential, exposed RDP or unpatched vulnerability
  2. Persistence: the attacker installs a backdoor and maintains access undetected (sometimes for weeks)
  3. Reconnaissance: maps the network, identifies backups, critical systems and valuable data
  4. Lateral movement: spreads to other systems using stolen credentials
  5. Exfiltration: copies data to external servers (for double extortion threat)
  6. Encryption: activates the ransomware and demands payment

💡 The average time between the initial breach and ransomware activation is 9 days. That is the window of opportunity to detect and stop the attack.

The 7 critical protection points

1. Immutable and tested backup — the most important

Backup is your last line of defense. But not just any backup: modern ransomware actively searches for and deletes backups before activating encryption. You need:

  • Offsite backup — a copy in a physically separate location or cloud
  • Immutable backup — one that cannot be deleted even by an administrator for a defined period
  • 3-2-1 rule: 3 copies, 2 different media, 1 offsite
  • Monthly restore test — an untested backup is not a backup

2. Multi-factor authentication (MFA) on everything

Compromised credentials are the main entry point. With MFA, even if the attacker has a username and password, they cannot get in. Implement MFA on:

  • Corporate email (Office 365, Google Workspace)
  • VPN and remote access
  • Administrative and financial systems
  • Cloud management dashboards
  • Active Directory / Azure AD

3. Patch management — update without exceptions

Known vulnerabilities with available patches are massively exploited. Having a regular update process — operating systems, applications and firmware — eliminates a huge attack surface.

4. EDR on endpoints — beyond antivirus

Traditional antivirus detects threats by signature. Modern attacks use fileless techniques that leave no file on disk. EDR (Endpoint Detection and Response) monitors behavior in real time and detects suspicious activity regardless of signature.

5. Network segmentation

If one computer is compromised, segmentation prevents the attack from spreading to the rest of the network. Servers, workstations, camera systems, printers and IoT devices should be on separate VLANs with firewall rules between them.

6. Principle of least privilege

Each user should only have access to what they need to work. Regular users should never be local administrators. The less privilege, the less damage when an account is compromised.

7. Monitoring and detection (SIEM/EDR)

You cannot defend what you cannot see. Continuous monitoring with alerts for anomalous behavior — such as access to large volumes of files in a short time, communications with suspicious IPs or login attempts outside business hours — allows you to detect the attack within the 9-day window before encryption.

Quick assessment checklist

Answer honestly. Every "no" is an active risk:

  • Do I have offsite backup tested in the last 30 days?
  • Is MFA active on email and VPN for all users?
  • Are my systems up to date (no critical patches pending for more than 30 days)?
  • Do I have EDR installed on all computers and servers?
  • Is my network segmented by function?
  • No regular user has administrator privileges?
  • Do I have active monitoring with anomalous behavior alerts?

What if we have already been attacked?

If ransomware has already activated, the sequence is: immediately isolate affected systems from the network (disconnect the cable), do not pay the ransom (does not guarantee recovery and funds future attacks), engage specialists for forensic analysis, and notify the ANPD if personal data was affected (LGPD obligation).

Infomek performs security assessments for companies in Curitiba, identifying vulnerabilities before attackers exploit them. Contact us for a free diagnosis of your environment.

Need help applying this to your company?

Infomek has over 30 years of experience in infrastructure, security and corporate IT in Curitiba.

Talk to us!