Ransomware protection: how to protect your company from attacks

Ransomware protection means a layered defense that prevents data encryption and enables fast recovery if an attack does occur. Three things matter most: verified offline backups that an attacker cannot delete, multi-factor authentication (MFA) on all remote access, and regular patching of vulnerabilities. On top of that come network segmentation, monitoring of suspicious activity, and a recovery plan prepared in advance.

Ransomware is a type of malicious software that encrypts files or entire systems, after which the attacker demands a ransom (most often in cryptocurrency) for the decryption key. In recent years, so-called double extortion has become dominant: attackers first steal the data, and only then encrypt it, so they can also blackmail you by threatening to publish confidential information if you refuse to pay. For companies and businesses in Bosnia and Herzegovina and the wider region, this means that even the best backup is no longer enough on its own. Defense across multiple layers is required.

How ransomware gets into a company

For ransomware protection to make sense, you need to understand how attackers get in. In practice, it usually comes down to a few well-known entry points:

• Phishing emails: an infected attachment or link that tricks an employee into running malicious code or handing over a password.
• Exposed remote access: RDP or VPN without MFA, with weak or leaked passwords, is a classic way in.
• Unpatched vulnerabilities: publicly accessible servers, VPN devices or applications with known flaws that attackers exploit within days of a patch being released.
• Compromised credentials: passwords bought on the black market or obtained through an earlier data breach.
• Supply chain: an attack through software or a partner that your network trusts.

A typical attack does not happen in a second. After the initial breach, the attacker moves through the network for days, escalates privileges, disables security tools, and looks for backups to destroy them before launching encryption. That window of a few days is exactly the opportunity for detection, if you have monitoring in place.

Warning signs before encryption

Many attacks have quiet early signals that can be spotted while the damage has not yet occurred. They should be acted on immediately, rather than dismissed as a random glitch:

• Unexpected shutdown or disabling of antivirus, EDR or Windows Defender.
• New administrator accounts that no one knowingly created.
• Logins to the system at unusual hours or from unknown locations.
• The appearance of remote access or network scanning tools that the company does not use.
• A sudden spike in disk activity or the disappearance of shadow copies (Volume Shadow Copy).

If you notice any of the above, isolating the affected device from the network takes priority over everything else. Those few minutes can be the difference between a single infected computer and the entire company at a standstill.

Seven layers of defense against ransomware

No single measure stops ransomware completely. The strength lies in combining layers, where each one catches what the previous one missed.

1. The 3-2-1 backup rule (and at least one offline copy)

The 3-2-1 rule means: three copies of the data, on two different media, one of which is off-site. With ransomware, the key is that at least one copy is immutable or physically separated (offline), because modern attackers deliberately seek out and delete network-accessible backups. It is equally important to test recovery regularly. A backup you have never restored is in practice only an assumption, not an insurance policy.

2. Multi-factor authentication on everything facing the internet

MFA on VPN, RDP, email and administrator accounts is one of the measures with the best cost-to-benefit ratio. A large share of attacks begins with a stolen password, and MFA makes that theft almost worthless. If a remote access service does not support MFA, that is in itself a vulnerability that needs to be resolved.

3. Regular patching and vulnerability management

Attackers systematically scan the internet looking for unpatched systems. Define deadlines for patches (for example, critical vulnerabilities within a few days) and pay special attention to internet-facing devices such as VPN gateways, firewalls, and mail and web servers. A periodic penetration test will show you which vulnerabilities an attacker can actually exploit, not just what theoretically exists.

4. Network segmentation

If the entire network is one flat space, a single compromised computer opens the path to everything. By separating servers, workstations, backup infrastructure and any OT/production network, you limit how far an attacker can spread. Isolate the backup environment in particular, since it should not be accessible from an ordinary user account.

5. The principle of least privilege

Users and services should have only as many rights as they genuinely need. Local administrator access on every computer and oversized domain administrators are the main fuel for ransomware spreading. Separate administrative and everyday accounts, and remove unnecessary privileges.

6. EDR and 24/7 monitoring

Traditional antivirus is no longer enough. EDR (Endpoint Detection and Response) monitors behavior on devices and catches suspicious activity such as mass encryption or the disabling of security tools. But a tool without people to respond has limited reach, and attacks increasingly happen at night and on weekends. This is where SOC and MDR monitoring helps, watching alerts in real time and stopping an attack while it is still in an early stage.

7. Employee training

People are still the most common entry point. Short, regular training on phishing and simulated phishing tests measurably reduce the number of employees who click on a dangerous link. It is equally important that employees know who to report a suspicious email to and how, without fear of consequences.

Priorities: where a company should start

None of the above needs to be introduced all at once. A sensible approach is to start with the measures that reduce risk the most at the lowest cost, and only then build out more advanced layers. The following table gives a rough order based on the effect-to-effort ratio. It is a useful framework for a small or medium-sized company in Mostar, or anywhere in the region, that is starting from scratch.

Measure	Effect on risk	Effort to implement	Priority
Offline / immutable backup + recovery test	Very high	Medium	1
MFA on remote access	Very high	Low	1
Patching exposed systems	High	Medium	2
EDR + monitoring / MDR	High	Medium	2
Network segmentation	Medium to high	Higher	3
Employee training	Medium	Low	2

A plan for when an attack happens (incident response)

Assuming an attack will never happen is a poor strategy. Prepare a plan while things are calm, because in the middle of an incident there is no time to improvise. A good recovery plan includes:

• Clear roles and contacts: who decides, who isolates systems, which external partner and lawyer to call.
• Isolation: disconnecting infected systems from the network to stop the spread, without an abrupt shutdown that destroys forensic evidence.
• Communication: internal and external messaging, and reporting to the competent authorities where it is mandatory.
• Recovery from backup: from a verified clean copy, following a pre-tested order for restoring systems.
• Root cause analysis: so the same entry point can be closed and the attack does not recur.

On paying the ransom: the general view is that payment should not be the first choice. There is no guarantee you will get a working key, you finance further crime, and in some cases payment also carries legal risks. A verified backup and a good recovery plan are the best negotiating position you can have. If an incident has already happened to you, a fast response is decisive, so seek help with incident response by getting in touch with the NeoBit team.

An action plan for the first 30 days

If you are just getting started, here is a concrete order of steps a company can complete in a month without a large budget. The goal is to close the most dangerous gaps in a short time:

• Week 1: list all internet-facing access points (VPN, RDP, mail, web) and enable MFA wherever possible. Disable whatever you genuinely do not need.
• Week 2: check your backups. Is there an offline or immutable copy, and can you actually restore it. Perform a test restore of a few key systems.
• Week 3: patch critical vulnerabilities on exposed devices and review who has administrative privileges. Remove unnecessary local administrators.
• Week 4: write a basic recovery plan with roles and contacts, and hold a short employee training session on phishing.

Even these few steps significantly raise resilience. Beyond them come ongoing processes, such as continuous monitoring, regular testing and periodic security assessment, which turn a one-time effort into a sustainable defense.

How NeoBit helps companies in Bosnia and Herzegovina

NeoBit, based in Mostar, covers the entire ransomware protection cycle, from checking how exposed you are, through continuous monitoring, to responding when the alarm goes off. Through penetration testing we show which vulnerabilities an attacker can actually exploit, with the Guardian 360 SOC (MDR) service we monitor your environment 24/7, and through incident response and ISO 27001 preparation we help make security a sustainable process rather than a one-off tool purchase. If you are not sure where you stand, a good starting point is the short penetration testing questionnaire, which helps us understand your environment and propose the next step.

Frequently asked questions

What is ransomware and how does it attack a company?

Ransomware is malicious software that encrypts files or entire systems and then demands a ransom for their decryption. It most often enters a company through a phishing email, exposed remote access without MFA, or an unpatched vulnerability. Modern attacks often also involve stealing data before encryption, so the attacker also threatens to publish confidential information.

What is the most important ransomware protection measure?

There is no single magic measure, but two carry the most weight: a verified offline or immutable backup that the attacker cannot delete, and multi-factor authentication on all remote access. A backup lets you recover without paying, while MFA blocks the most common way in, which is a stolen password. The best result comes from combining multiple layers of defense.

Should a company pay the ransom after a ransomware attack?

The general expert view is that payment should not be the first choice. There is no guarantee you will get a working key, by paying you finance further crime, and in some cases there are also legal risks. A verified backup and a pre-tested recovery plan are the best alternative to paying. If an incident occurs, bring in incident response specialists as soon as possible.

Can a small company in Bosnia and Herzegovina afford ransomware protection?

Yes. The most effective measures, such as MFA, regular patching, offline backup and employee training, are relatively low cost and reduce risk the most. More advanced layers such as EDR and 24/7 monitoring can be obtained by a small or medium-sized company through an external MDR service, without building its own security team. A sensible approach is to start with the measures that have the greatest effect and gradually add the rest.

Related guides: Cyber security in Bosnia and Herzegovina - the complete guide · Protection against hacker attacks - 10 steps for companies · How to recognize a phishing attack - a guide for employees