Skip to main content
Subscribe
Subscribe to our Newsletter Subscribe
News

Ransomware Protection: Why Compliance Isn’t Enough

Todd Thorsen
By
Todd Thorsen
Todd Thorsen Chief Information Security Officer at CrashPlan

Todd Thorsen is the chief information security officer of CrashPlan. He brings more than 15 years of information security experience across various disciplines. Todd has a proven track record of building and leading security programs focused on global security operations, risk and compliance, incident response, resilience, and data protection.

More about Todd
Last updated on Apr 9, 2025
QUICK SUMMARY

Compliance alone can't stop today's ransomware. Upgrade to a proactive, risk-based ransomware protection approach to data security and avoid becoming the next victim.

TABLE OF CONTENTS Growing Ransomware Protection Crisis Current Ransomware Protection Landscape Recognizing Phishing Attempts Device and Network Vulnerability Network Propagation Ransomware Protection for Network Architecture Evolution of Ransomware Protection in Security Suites Integrated Backup Solutions Real-Time Response Selecting the Right Security Suite Understanding Compliance in Cybersecurity Beyond Ransomware Protection Frameworks Ransomware Protection, Response, and Recovery Don’t Stop at Ransomeware Protection Compliance
CTO-Compliance-vs.-Cybersecurity-featured-image

The Growing Ransomware Protection Crisis

2025 presents a stark reality: Compliance-based cybersecurity fails to provide adequate ransomware protection. While you follow regulations, cybercriminals develop sophisticated attacks that bypass traditional safeguards.

Warning: Imagine your worst-case scenario — critical data locked, operations halted, and profits plummeting — all because your "compliant" measures couldn't deliver effective ransomware protection.

Why Traditional Protection Falls Short:

  • Regulatory frameworks lag behind evolving threats
  • Compliance focuses on minimum standards, not maximum security
  • Generic approaches ignore your organization's unique vulnerabilities
  • Recovery capabilities are often overlooked in compliance checklists

Effective ransomware protection requires a risk-based approach that goes beyond regulatory checkboxes. As attacks outpace regulations at unprecedented rates, your business needs comprehensive protection strategies tailored to your specific risk profile.

What You'll Learn About Ransomware Protection:

  1. Why compliance alone leaves you vulnerable
  2. Essential components of risk-based protection
  3. Practical steps to implement robust ransomware protection today
  4. Recovery strategies that minimize damage when prevention fails
Best Cybersecurity Software

  1. Aikido Security

    This is an aggregated rating for this tool including ratings from Crozdesk users and ratings from other sites.
    4.7
    Visit Website

  2. NordLayer

    This is an aggregated rating for this tool including ratings from Crozdesk users and ratings from other sites.
    3.7
    Visit Website

  3. ManageEngine Endpoint Central

    This is an aggregated rating for this tool including ratings from Crozdesk users and ratings from other sites.
    4.3
    Visit Website

The Bear Spray Fallacy: A Ransomware Protection Parable

Picture yourself on a hiking trip in a national park. Concerned about ransomware-like threats in the wild—bears—you diligently prepare:

  • You study official trail maps and bear safety guidelines
  • You pack recommended bear spray (your "compliance solution")
  • You even bring a change of underwear for worst-case scenarios

As you trek along Mt. Ominous, breathing in fresh mountain air, disaster strikes—you forgot your cell phone with your maps and GPS. Now you're lost as darkness falls.

But I followed the rules!!" you shout helplessly into the void.

The Ransomware Protection Lesson

This tale perfectly illustrates the critical difference between the two approaches to data protection:

  1. Compliance-Only Approach = The lost hiker who followed basic rules but lacked comprehensive protection
  2. Risk-Based Ransomware Protection = A prepared hiker with layered defenses and recovery plans

Understanding this difference is essential for protecting your business against ransomware this year.

The Current Ransomware Protection Landscape

We're currently experiencing a deceptive lull in the ransomware storm:

  • Sophos reports a slight dip in attack rates compared to 2023
  • Legal actions have disrupted some organized ransomware groups
  • This false sense of security creates significant risk

Don't Waste This Critical Window for Ransomware Protection

This temporary breathing space isn't an invitation to relax—it's a crucial opportunity to:

  1. Implement comprehensive ransomware protection measures
  2. Move beyond compliance to risk-based security
  3. Strengthen your data resilience against inevitable attacks

Critical Vectors Your Ransomware Protection Strategy Must Address

Effective ransomware protection requires understanding exactly how these threats infiltrate your systems. While compliance frameworks often provide general guidance, they rarely detail the specific attack vectors criminals use to bypass your defenses.

Email-Based Attacks: The Primary Gateway

Email remains the most prevalent ransomware delivery method, with attackers using increasingly sophisticated techniques:

  • Malicious Attachments: Attackers disguise ransomware as legitimate documents, often using file extensions like .pdf, .docx, or .xlsx. When opened, these files execute malicious code that encrypts your data.
  • Embedded Macros: Business documents containing malicious macros that, when enabled, download and install ransomware payloads.
  • Deceptive Links: Emails containing links to compromised websites that automatically download ransomware when visited.

Real-World Example: The infamous Ryuk ransomware typically arrives via targeted email campaigns containing Word documents with embedded macros. When users enable these macros, the initial loader executes and establishes persistence, eventually deploying the full ransomware payload.

Web-Based Infection Methods

Your employees' everyday browsing activities can expose your organization to ransomware infections:

  • Drive-By Downloads: Malicious code automatically downloads and executes when visiting compromised websites, without any user action required.
  • Malvertising: Legitimate advertising networks are infiltrated with malicious ads that redirect to exploit kits deploying ransomware.
  • Compromised Downloads: Seemingly legitimate software downloads infected with ransomware, often targeting popular freeware or pirated content.

Real-World Example: The Magnitude Exploit Kit has been observed delivering Magniber ransomware through malvertising campaigns, explicitly targeting users in specific geographic regions and bypassing users from others to avoid detection.

Physical Media & Network Vulnerabilities

While often overlooked in compliance checklists, these infection methods remain significant threats:

  • Infected USB Drives: External storage devices containing ransomware that automatically executes when connected to a system. These may be deliberately planted (USB drops) or unintentionally infected.
  • Network Vulnerabilities: Ransomware spreads through unpatched systems on a network, exploiting vulnerabilities like the infamous EternalBlue exploit used by WannaCry.
  • Remote Desktop Protocol (RDP) Breaches: Attackers gain entry through weak RDP credentials or unpatched vulnerabilities in remote access technology.

Real-World Example: The SamSam ransomware specifically targeted organizations with vulnerable RDP connections. It brute-forced weak passwords to gain initial access before moving laterally through networks to deploy ransomware where it would cause maximum damage.

Recognizing Phishing Attempts: Your First Line of Ransomware Protection

Phishing remains the primary initial access vector for ransomware attacks. Training your team to recognize these attempts is essential:

Red Flags in Suspicious Emails

  • Urgency and Pressure: Messages creating artificial time pressure ("Immediate action required")
  • Suspicious Sender Addresses: Carefully examine email addresses for slight misspellings of legitimate domains
  • Grammatical Errors: Professional organizations rarely send communications with poor grammar or spelling
  • Unusual Requests: Requests that violate normal procedures, especially regarding financial matters
  • Hovering Links: Train employees to hover over links to verify the actual URL destination before clicking
Join our Newsletter
Discover how to deliver better software and systems in rapidly scaling environments.

Discover how to deliver better software and systems in rapidly scaling environments.

By submitting this form you agree to receive our newsletter and occasional emails related to the CTO. You can unsubscribe at anytime. For more details, review our Privacy Policy. We're protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
This field is for validation purposes and should be left unchanged.

Advanced Phishing Techniques to Watch For

  • Spear Phishing: Highly targeted emails using personal information to appear legitimate
  • Business Email Compromise: Emails appearing to come from executives requesting urgent actions
  • Brand Impersonation: Emails mimicking trusted brands, often with convincing logos and formatting

Protection Tip: Implement a straightforward process for reporting suspicious emails without penalty, encouraging employees to flag potential threats without fear of reprimand for false positives.

Emerging Ransomware Infection Vectors

Comprehensive ransomware protection requires awareness of emerging infection methods that compliance frameworks haven't yet addressed:

  • Supply Chain Attacks: Ransomware delivered through compromised software updates from legitimate vendors
  • Cloud Service Vulnerabilities: Exploiting misconfigurations in cloud services to deploy ransomware
  • IoT Device Exploitation: Using vulnerable Internet of Things devices as entry points to corporate networks
  • API Vulnerabilities: Exploiting insecure APIs to gain system access and deploy ransomware

Real-World Example: The Kaseya VSA attack in 2021 demonstrated the devastating potential of supply chain attacks. The REvil ransomware group compromised the software provider's update mechanism, affecting thousands of organizations simultaneously.

Building Ransomware Protection Against All Infection Methods

A risk-based approach to ransomware protection must address all potential infection vectors:

  1. Technical Controls:
    • Email filtering and scanning solutions
    • Web filtering and browser isolation
    • Network segmentation
    • USB device control policies
  2. Human Factors:
    • Regular security awareness training
    • Simulated phishing exercises
    • Clear reporting procedures for suspicious activities
  3. Operational Security:
    • Regular vulnerability scanning and patching
    • Principle of least privilege
    • Multi-factor authentication for all remote access

Compliance and proper ransomware protection often differ in how thoroughly your organization addresses these specific infection vectors.

While compliance frameworks might require general email security measures, a risk-based approach goes deeper, implementing advanced email filtering, regular phishing simulations, and comprehensive user training to counter the latest ransomware delivery techniques.

Understanding and defending against these specific infection methods builds ransomware resilience beyond basic compliance requirements.

Ransomware Protection for Device and Network Vulnerability

Effective ransomware protection requires understanding that no device or network is inherently immune. While compliance frameworks often focus on protecting central servers and databases, comprehensive security demands attention to all potential vulnerability points across your digital ecosystem.

PC Vulnerabilities: Still the Primary Battleground

Desktop and laptop computers remain prime targets for ransomware attackers for several reasons:

  • Resource Availability: More processing power for encryption operations
  • Data Concentration: Often stores large volumes of valuable business and personal data
  • User Privileges: Typically run with higher system permissions than mobile devices
  • Legacy Systems: Many organizations maintain outdated systems with unpatched vulnerabilities

Critical Insight: Ransomware can target any PC—a home computer, PCs on an enterprise network, or servers used by a government agency. No organization is too small or too large to be targeted.

Mobile Device Vulnerabilities: The Overlooked Threat

As organizations focus on PC protection, mobile devices increasingly become attractive ransomware targets:

  • Android Vulnerabilities: More susceptible due to varied update practices and sideloading capabilities
  • iOS Risks: While more restricted, not immune, particularly for jailbroken devices
  • Corporate Data Access: Mobile devices now frequently access sensitive corporate resources
  • Authentication Storage: Often contains credentials that could enable broader network access

Warning: Mobile devices can also get ransomware! As BYOD policies become standard, unprotected personal devices can serve as entry points to corporate networks.

IoT Device Exploitation: The Expanding Perimeter

The explosion of Internet of Things devices creates new ransomware vulnerabilities:

  • Weak Default Security: Many IoT devices ship with minimal security configurations
  • Irregular Updates: Patching cycles often lag far behind threat evolution
  • Network Access: Provide potential pivot points into more valuable systems
  • Critical Functions: In industrial settings, ransomware on IoT devices can threaten physical operations

Network Propagation: How Ransomware Spreads Like Wildfire

Understanding how ransomware moves across networks is essential for developing effective ransomware protection strategies:

Lateral Movement Techniques

Once established on a single device, modern ransomware employs sophisticated techniques to spread:

  • Network Share Scanning: Identifying and encrypting data on mapped and unmapped network drives
  • Credential Harvesting: Stealing authentication information to access additional systems
  • Exploitation of Trust Relationships: Using trusted connections between systems to propagate
  • Active Directory Attacks: Targeting domain controllers to compromise entire organizational networks

Critical Warning: If your computer is connected to a network, ransomware may spread to other computers or storage devices, potentially compromising your entire digital infrastructure in minutes.

Worm-Like Capabilities

The most dangerous ransomware variants include self-propagation mechanisms:

  • Vulnerability Exploitation: Automatically scanning for and exploiting unpatched systems (as seen with WannaCry using EternalBlue)
  • RDP Brute-Forcing: Systematically attacking Remote Desktop Protocol connections with password lists
  • SMB Protocol Abuse: Exploiting file-sharing protocols to move between systems
  • Email Self-Propagation: Some variants access contact lists and send themselves to new victims

Ransomware Protection for Network Architecture

A risk-based approach to ransomware protection includes network design principles that limit propagation:

Critical Network Security Measures

  • Network Segmentation: Dividing networks into isolated zones to contain potential outbreaks
  • Zero Trust Architecture: Requiring verification for every device and connection, regardless of location
  • Least Privilege Access: Restricting user and system permissions to the minimum necessary
  • Traffic Monitoring: Implementing behavioral analysis to detect unusual data movements

Protection Strategy: Network segmentation is particularly effective against ransomware spread. Creating logical boundaries between different parts of your network prevents a ransomware infection in one segment from affecting your entire organization.

The gap between compliance and comprehensive security is particularly evident in network protection. While compliance frameworks often mandate basic network security measures, they rarely address the specific architectural requirements needed to effectively contain modern ransomware.

Evolution of Ransomware Protection in Security Suites

Beyond Traditional Detection Methods

Today's advanced security suites integrate multiple detection layers specifically designed for ransomware:

  • Behavior-Based Detection: Rather than relying solely on signature matching, modern solutions monitor for suspicious encryption activities and file system behaviors characteristic of ransomware.
  • Machine Learning Models: Advanced algorithms trained on millions of samples to detect even previously unseen ransomware variants based on behavioral patterns.
  • Heuristic Analysis: Proactive examination of code for ransomware-like functionality before execution.

Real-World Application: Solutions like Bitdefender and Webroot have integrated ransomware protection directly into their core functionality, eliminating the need for separate ransomware tools and providing seamless protection within a unified security framework.

Critical Ransomware-Specific Protection Features

The most effective security suites incorporate specialized features targeting the unique challenges of ransomware:

  • Anti-Ransomware Shields: Dedicated modules that specifically monitor for and block encryption attempts on user files.
  • Process Monitoring: Technologies that flag suspicious processes attempting to modify multiple files rapidly.
  • Secure Folders Protection: Special designation of critical document folders with additional layers of access control to prevent unauthorized encryption.
  • Rollback Capabilities: Temporary file caching that allows for quick restoration of files that begin to be encrypted before the attack is neutralized.

Integrated Backup Solutions: The Last Line of Defense

A risk-based approach to ransomware protection recognizes that prevention might sometimes fail, making recovery capabilities essential:

How Modern Backup Systems Counter Ransomware

  • Immutable Backups: Backup systems that create write-once, read-many copies that ransomware cannot alter.
  • Air-Gapped Storage: Maintaining copies disconnected from networks where ransomware can't reach them.
  • Versioning Systems: Retaining multiple historical versions of files to enable recovery from specific points before infection.
  • Automated Recovery Processes: One-click restoration systems that minimize downtime after an attack.

Solution Highlight: Acronis True Image exemplifies this approach by backing up critical files and actively monitoring for and preventing ransomware attacks on the original files and the backups themselves, creating a comprehensive protection system.

Real-Time Response: Neutralizing Active Threats

The most advanced security suites don't just detect ransomware—they actively neutralize it:

Automated Ransomware Remediation

  • Immediate Process Termination: Instantaneous killing of suspicious processes before encryption can spread.
  • Automatic File Restoration: Seamlessly recovering affected files from temporary caches or backups without user intervention.
  • Attack Chain Analysis: Post-detection forensics to identify the entry point and prevent similar future attacks.
  • System Isolation: Automatic network disconnection to prevent lateral movement of ransomware across systems.

Protection Example: During independent testing, when ransomware samples were deliberately introduced to systems with real-time antivirus disabled, dedicated ransomware protection layers in premium security suites still detected the threats, terminated malicious processes, and restored affected files, pulling clean copies from secure backups as needed.

Selecting the Right Security Suite for Ransomware Protection

Not all security solutions offer the same level of ransomware protection. When evaluating options, prioritize:

  1. Dedicated Ransomware Modules: Specific functionality beyond general malware protection
  2. Proven Detection Rates: Independent test results specifically for ransomware detection
  3. Integrated Backup Capabilities: Built-in or seamlessly integrated backup solutions
  4. Minimal System Impact: Protection that doesn't significantly slow system performance
  5. Regular Updates: Frequent updates to address emerging ransomware variants

The gap between compliance and proper security is perhaps most evident in this area. While compliance frameworks might require "malware protection," they rarely specify the advanced, multi-layered approach necessary for effective defense against modern ransomware threats.

By implementing a comprehensive security suite with robust ransomware protection features, organizations move beyond checkbox compliance to develop genuine resilience against one of today's most damaging cyber threats.

Understanding Compliance in Cybersecurity: A Deeper Look

Compliance is essentially following rules set by external authorities—whether governments, industry organizations, or contractual obligations—to meet minimum security standards. These rules ensure organizations protect data and systems according to agreed-upon benchmarks.

Two Major Categories of Compliance Requirements

Mandatory Regulations

  • GDPR: European data protection law with fines up to €20 million or 4% of global revenue
  • HIPAA: US healthcare data protection with penalties up to $1.5 million per violation
  • CCPA/CPRA: California's privacy regulations with enforcement penalties

These have legal force—you must comply or face significant consequences.

Voluntary Frameworks

  • NIST Cybersecurity Framework: Guidelines without direct legal penalties
  • ISO 27001: Certification, you can choose to pursue
  • CIS Controls: Best practices you can adopt as desired

These aren't legally required, but often become de facto standards through market pressure.

The Compliance vs. Security Reality

Compliance programs often focus on:

  • Documenting processes
  • Implementing specific controls
  • Passing periodic audits
  • Meeting minimum requirements

But adequate ransomware protection and broader security require:

  • Continuous threat monitoring
  • Adaptive defensive strategies
  • Regular testing of backups and recovery processes
  • Security awareness across the organization
  • Proactive threat hunting

Why Compliance Alone Falls Short

  1. Reactive nature: Regulations typically emerge after major incidents, always playing catch-up
  2. Minimum standards: Designed to establish floors, not optimal security ceilings
  3. Generic approach: Cannot address unique risks specific to your organization
  4. Point-in-time validation: Compliance checks are snapshots, while security is continuous
  5. False security: Can create a dangerous illusion of adequate protection against ransomware and other threats

Effective cybersecurity integrates compliance requirements as one component of a comprehensive, risk-based approach tailored to your specific organizational needs and threat landscape.

For example, despite all its nonbinding bluster, the International Counter Ransomware Initiative 2023 Joint Statement from last year was encouraging because it showed several government entities worldwide acknowledging the ransomware problem and taking the initial steps to address it.

However, regulatory frameworks and policy initiatives alone are not enough to protect your company from severe data loss, let alone ransomware attacks. 

Looking Beyond the Ransomware Protection Frameworks

Frameworks provide valuable starting points, but their universal design creates inherent limitations for individual organizations.

The Framework Paradox

  • Strength: Provide standardized best practices applicable across industries
  • Weakness: Cannot account for unique organizational contexts and needs

Compliance vs. Risk-Based Security

Compliance Approach

  • Reactive in nature
  • Designed as a universal standard
  • May create a false sense of security
  • Does not necessarily yield effective security outcomes

Risk-Based Approach

  • Proactive while maintaining compliance
  • Tailored to your specific business context
  • Addresses unique threat landscape and vulnerabilities
  • Considers factors outside standard framework requirements

Why Customization Matters

Each organization has different:

  • Technology ecosystems
  • Business operations
  • Data sensitivity profiles
  • Threat exposures
  • Industry-specific risks
  • Resource constraints

Moving Forward

The most effective security programs:

  • Use frameworks as foundations, not final destinations
  • Continuously evaluate specific organizational risk factors
  • Adapt protections to evolving threats relevant to your business
  • Balance compliance requirements with practical security needs

By developing a risk-based approach tailored to your organization, you create security that works for your context rather than merely checking compliance boxes.

For example, let’s say your SaaS company is using NIST’s cybersecurity framework. While its “protect” function covers access control and training, and you’ve implemented controls to address these requirements, human error can still creep through. 

This is particularly true if a company follows these frameworks rather than applying meaningful environmental and cultural controls. Not all anti-phishing training is created equal.

Using content that aligns with your company standards, policies, and unique risks is essential. Keep in mind that human error can always happen.

Playing the Innovation Catch-Up Game

Another problem: innovation always outpaces regulation.

Sadly, this maxim doesn’t only apply to legitimate businesses — ransomware actors are innovating and moving quickly, leveraging new ways of exploiting vulnerabilities that outpace protective controls and processes. 

GenAI will be gasoline on this fire.

Risk-based cybersecurity incorporates a proactive and evolutionary approach to protecting your company’s data that always seeks to improve existing controls and practices among your staff.

Compliance is a good first step on this journey, but don't stop there. You want to continually evaluate and mature your security posture, taking a risk-based approach.  

Strengthening Your Cybersecurity Posture Beyond Compliance

Many companies rush to add new protection and detection tools when moving beyond compliance-based security. While these tools are important, a truly effective cybersecurity strategy requires a comprehensive defense-in-depth approach.

Look Beyond Tools and Technology

Recent high-profile breaches have one thing in common: the victims had protection and detection systems in place. Yet they still made headlines.

Ransomware Protection, Response, and Recovery

Often overlooked but critical components include:

  • Incident response plans that are regularly tested and updated
  • Business continuity processes that minimize operational impact
  • Recovery procedures that allow for the rapid restoration of services
  • Cross-functional communication protocols during crises

Defense-in-Depth Framework

A balanced approach includes:

  • Prevention: Policies, access controls, network segmentation
  • Detection: Monitoring, threat hunting, anomaly identification
  • Response: Containment, investigation, stakeholder communication
  • Recovery: Data restoration, system rebuilding, post-incident analysis

Key Ransomware Protection Questions

  • How quickly could you detect a breach in your environment?
  • Is your incident response plan regularly tested through tabletop exercises?
  • Could you restore critical systems if ransomware encrypted your network?
  • Do stakeholders know their roles during a cyber incident?

Taking this holistic view helps ensure you're prepared not just to prevent attacks but also to respond effectively when prevention inevitably fails.

Breaches and ransomware still happen, so it is essential to have strong recovery capabilities to resume operations and recover data at scale across your organization.

Often, the best place to start is by looking at your endpoint backup and recovery capabilities. This is one of the simplest and most effective ways to take the sting out of a ransomware attack.

Suppose you have a functional cloud-based backup and recovery platform covering your business. In that case, you can know that your data is secured, stored off-site, and available for recovery when you need it most!

If this sounds dead simple, you might be surprised to learn how many organizations have gaps in this area due to using cloud collaboration platforms (CCPs) for primary backup and recovery of endpoint data. 

For example, although SaaS applications have become standard in modern business, not even one in five companies backs up their SaaS data. CCPs are reliant on user behavior to backup data, and even then, there are limits on retention duration, file size, and security.

So, before taking new and innovative approaches to combating ransomware, I recommend evaluating your data resilience posture for critical gaps due to process and tool misuse. 

Don’t Stop at Ransomeware Protection Compliance

Compliance is a starting point and provides a framework for uniform and good ransomware protection practices. However, risk-based security and data resiliency are journeys that don’t stop with compliance. Compliance software can help with vulnerability assessments, threat intelligence, and more.

Our world is changing, technology is evolving, attackers are innovating, and threats persist. This is why security and IT teams must incorporate ongoing, risk-based approaches to develop and mature their cybersecurity and data resilience capabilities.

Subscribe to The CTO Club's Newsletter for more compliance and cybersecurity insights.

Todd Thorsen
By Todd Thorsen

Todd Thorsen is the chief information security officer of CrashPlan. He brings more than 15 years of information security experience across various disciplines. Todd has a proven track record of building and leading security programs focused on global security operations, risk and compliance, incident response, resilience, and data protection.

Follow the author: Opens new window Opens new window
You may also like