Ransomware Defense: The Complete Playbook for 2026

#The call nobody wants to make

Monday morning. Your phone rings at 3:47 AM. It's the on-call NOC engineer. Systems are down. Not "a server is slow" down. All of them. ERP, email, file shares, VoIP, the point-of-sale at retail locations, the EHR at your clinics. Your engineer sends a screenshot. A ransom note wallpapered across every server. An onion link. A Telegram handle. A countdown.

By the time the CEO is in the office at 7 AM, the FBI tip line has already been notified by one of the sysadmins who panicked. Your insurance carrier is being notified. You're trying to figure out if your backups are also encrypted. The PR firm on retainer is asking what you want them to say to reporters who will be calling in the afternoon. Your CFO is reviewing the policy for cyber coverage limits. Your GC is reviewing state breach notification timelines. You have 4-72 hours to respond to the ransom demand before the attackers publish your data.

This is what a modern ransomware incident looks like. Every organization we've worked with through an active event tells a variation of the same story. The attack you didn't think would happen to you is happening right now.

This post is the complete ransomware defense playbook we run on engagements with mid-market organizations. Prevention. Detection. Response. Recovery. Negotiation. And the specific 2026 patterns that have evolved beyond what most defenders are prepared for.

#The 2026 ransomware economy

Before the playbook, the threat landscape.

The big groups of 2026:

• LockBit 4.0. Rebuilt after the 2024 takedown. Less prolific than peak LockBit, still active.
• Qilin. Russia-based, hospital and manufacturing focus.
• RansomHub. Ex-ALPHV affiliates consolidated under new branding.
• Play. Central European focus, telecom and government.
• Akira. Still active, US mid-market focus.
• Medusa. Education and healthcare heavy.
• Cactus. Active since 2023, specializes in VPN appliance exploitation for initial access.

Attribution gets harder as groups split, rebrand, and share TTPs. What matters isn't the group name. It's the playbook.

#The modern playbook (Q1-Q2 2026)

Phase 1. Initial access. Patterns we see most often:

• VPN / firewall appliance exploitation (Fortinet, SonicWall, Cisco ASA)
• Phishing with OAuth consent to a malicious app (bypasses MFA entirely)
• Compromised third-party credentials from an IAB
• VPN credentials bought from infostealer logs (Lumma, Raccoon, Rhadamanthys)
• Social engineering of help desk (Scattered Spider pattern)

Phase 2. Lateral movement + privilege escalation.

• Active Directory reconnaissance via BloodHound
• Domain admin compromise via Kerberoasting or abuse of misconfigured permissions
• Privileged access via password spray against service accounts
• Hypervisor compromise (vCenter / ESXi) for fastest lateral movement

Phase 3. Data exfiltration.

• Rclone or MegaSync to upload terabytes to cloud storage
• Typical exfil target: 100GB-10TB depending on organization size
• Takes 24-96 hours depending on bandwidth

Phase 4. Encryption.

• ESXi-native ransomware for infrastructure
• Host-level ransomware for Windows endpoints
• Shadow copy deletion, backup system destruction, domain controller compromise
• Encryption typically runs 4-12 hours across the environment

Phase 5. Extortion.

• Ransom note deployed
• Customer-facing extortion (threats to contact customers directly)
• Threat of publication on data leak site
• Typical negotiation window: 72 hours to 14 days

Modern ransomware is double-extortion by default. Single-extortion (encryption only) is rare in 2026. Triple-extortion (encrypt + leak + DDoS) is becoming common.

#Prevention. The high-ROI controls

You can't prevent every ransomware attempt. You can make the attacker's work expensive enough that they move on to easier targets. These are the controls that actually move the needle.

#1. Phishing-resistant MFA on every privileged access

Push-approve MFA is dead as a meaningful control. Number matching raised the floor but doesn't stop adversary-in-the-middle. FIDO2 hardware keys or platform authenticators with WebAuthn are the only MFA modalities worth deploying on privileged access in 2026.

Scope expansion. MFA on email. MFA on VPN. MFA on SSH. MFA on every cloud admin console. MFA on RDP jumphosts. Any authentication gateway should be phishing-resistant or replaced.

#2. Patch the internet-facing appliances

The FortiGate zero-day gets patched two weeks after your organization deployed it. The Cisco ASA unauth RCE comes out, and you patch it within 72 hours. The VPN vendor's advisory gets read. Every critical-severity CVE on internet-facing infrastructure is an emergency.

This is unglamorous. It's also where half the ransomware initial access starts. Maintain a 72-hour patch SLA for critical CVEs on internet-facing systems. Everything else follows a standard 30-day SLA.

#3. Email security with DMARC enforcement

\p=reject\ or \p=quarantine\ on every domain you own. Enforcement actually checked by Gmail and M365 in 2026. Business email compromise drops when DMARC is enforced.

Plus email content filtering (Proofpoint, Mimecast, M365 Defender, Abnormal). Block attachments with macros. Block emails from domains less than 30 days old. Scan attachments in sandboxes.

#4. Modern endpoint detection and response

EDR on every endpoint. Not AV. EDR. CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR.

The EDR vendor matters less than deployment. Coverage gaps (endpoints without EDR) are where attackers land and persist. The common gaps:

• Build servers and CI/CD runners
• Network appliances
• Legacy OS endpoints
• Contractor laptops
• Developer machines with admin rights

#5. Active Directory tier zero hardening

Covered in detail in our Active Directory Tier Zero post. The short version:

• Domain admin credentials only used from dedicated Privileged Access Workstations
• Tier 0 assets isolated from general network
• Service account passwords strong + rotated
• Privileged groups strictly reviewed
• Protected Users group for privileged accounts

#6. Network segmentation, specifically around the backups

The single most important segmentation is between production and backup infrastructure. Backup system lives in a different domain / different authentication / different network. Production compromise does not trivially extend to backup compromise.

Segmentation also matters between business units, between cloud workloads, between user subnets and server subnets. But the backup segmentation is existential.

#7. 3-2-1-1-0 backup strategy

Our backup strategy post covers this in depth. The five-component summary:

• 3 copies of data
• 2 different media
• 1 copy offsite
• 1 copy offline or immutable
• 0 errors on recovery validation

Immutable copy. Air-gapped copy. Tested restore. If you don't have all three, your ransomware recovery depends on the attacker's goodwill.

#8. PowerShell constrained language + logging

PowerShell is in every modern ransomware kill chain. Configuration:

• PowerShell Execution Policy: RemoteSigned or stricter
• Constrained Language Mode enforced for non-admin contexts
• Script block logging enabled (event 4104)
• Module logging enabled
• Transcription enabled for admin contexts

The logs ship to SIEM. Alert on suspicious patterns (invoke-expression with web content, base64-encoded commands, bypass attempts).

#9. Macro execution disabled in Office

Block all macros from the internet. Block all macros from unknown origin even if locally sourced. Explicit allowlist only.

M365 has this as a policy switch. Group Policy on AD-joined machines. Intune policy on MDM-managed endpoints.

#10. Privilege management on workstations

No local admin rights for end users. Elevated access via Privilege Management tools (CyberArk EPM, BeyondTrust, AdminByRequest). Auditable, time-bound, session-recorded.

#Detection. Catching the attacker before they encrypt

Prevention is a race against attacker adaptation. Detection catches what prevention misses.

#SIEM with ransomware-specific detection

Centralized log aggregation. Sigma rules for known ransomware TTPs. Specific detection use cases:

• Mass file renaming or encryption patterns
• Shadow copy deletion (\vssadmin delete shadows\)
• Event log clearing
• Backup system authentication from unexpected sources
• Rclone / MegaSync process execution
• Known ransomware command-and-control domains
• PowerShell with encoded or obfuscated commands
• WMIC or PSExec from unexpected sources
• Abnormal RDP authentication patterns

#EDR behavioral detection

Modern EDR has built-in ransomware detection. Validate it's running, tuned, and shipping to your SIEM.

#Honeypot files in critical locations

Deploy canary files in file shares that no legitimate user should touch. Alert when they're accessed or modified. Cheap, effective, catches ransomware early in the encryption phase.

#Egress monitoring

Data exfiltration precedes encryption. Monitor outbound traffic to cloud storage providers (Mega, Google Drive, Dropbox, MEGA.nz) from servers that shouldn't be uploading anything. CASB or NGFW reporting.

#AD change monitoring

New accounts in privileged groups. New GPOs. Modified AdminSDHolder. Unusual domain controller activity. All worth alerting on.

#Incident response. The playbook

An active ransomware incident is a crisis. You execute against a documented plan or you make it up as you go. The plan wins.

#Phase 1. Detection and validation (0-30 minutes)

First indicator received. Validate it's real. False alarms happen.

Roles immediately assigned:

• Incident Commander. Usually CISO or senior security lead. Single decision-maker.
• Communications Lead. Drafts internal + external communications.
• Forensic Lead. Starts preserving evidence.
• Legal Liaison. Activates legal counsel and insurance.
• Recovery Lead. Starts recovery planning.

First decisions:

• Is the incident confirmed?
• What's the blast radius?
• Who needs to know, and by when?
• Do we engage external forensic help immediately?

#Phase 2. Containment (30 minutes to 4 hours)

Goal: stop the bleeding while preserving evidence.

Containment options (pick based on blast radius):

• Network isolation of affected systems (don't shut them down, isolate)
• Block C2 domains at the firewall
• Disable compromised accounts
• Segment suspected attacker access

Don't:

• Reboot encrypted systems (kills forensic evidence)
• Delete suspicious files (destroys evidence)
• Pay the ransom before negotiation completes
• Notify the attacker before you're ready

External engagement:

• Forensic firm (Mandiant, CrowdStrike, Kroll, specialized firms)
• Outside counsel with data breach expertise
• Insurance claim opened
• Law enforcement if legally required (FBI for US ransomware, state AG for breach)

#Phase 3. Assessment (4 hours to 72 hours)

Understand what happened.

Forensic questions:

• How did the attacker get in?
• How long have they been present?
• What data did they access?
• What did they exfiltrate?
• Is the backup system affected?
• Are there persistence mechanisms remaining?

The forensic firm drives this. They produce an initial scoping within 24-48 hours and a full timeline within 1-2 weeks.

Legal questions during this phase:

• Is there PHI / PCI / PII in the exfiltrated data?
• What notification obligations are triggered?
• Are regulators required to be notified (HIPAA 60 days, SEC 4 business days for public companies, state AGs variable)?
• Is negotiation with the attacker legally permissible (OFAC sanctions check required)?

#Phase 4. Decision. Pay or don't pay

The hardest decision. No universally right answer.

Pay considerations:

• Do you have clean backups? If yes, strong bias toward not paying.
• Is the data exfiltrated uniquely damaging (customer PII, trade secrets, regulatory data)?
• Can you recover operationally without paying, even if it takes weeks?
• What's the legal risk of paying (OFAC sanctions, shareholder lawsuits)?
• What's the precedent effect?

Don't-pay considerations:

• Paying funds further attacks
• Paying doesn't guarantee decryption works
• Paying doesn't guarantee data isn't published anyway
• Ransomware payments are increasingly regulated

If paying, you must:

• Use a professional negotiator (Coveware, GroupSense, Kivu, dozens of others)
• Verify the attacker group isn't OFAC-sanctioned (legal risk)
• Negotiate the amount (initial demand is 2-3x what they'll settle for)
• Structure payment through a crypto exchange that can produce chain-of-custody documentation
• Receive the decryption tool and test it on non-critical data first

If not paying, you must:

• Have tested backups
• Have a recovery plan that matches your RTO/RPO
• Be prepared for the attacker to publish data as retaliation
• Have customer communications ready

#Phase 5. Recovery (1 day to 8 weeks)

Restoring operations. Variable by scope.

Priority order:

1. Core business functions (the revenue-critical systems)
2. Communication infrastructure
3. Financial systems
4. Customer-facing systems
5. Everything else

Recovery from backups:

• Validate backup integrity before restore
• Rebuild clean environment (don't restore into compromised infrastructure)
• Restore data, not systems (rebuild OS from known-good images)
• Scan restored systems before bringing online

Recovery without backups:

• Rebuild from scratch
• Migrate what's salvageable
• Accept data loss

#Phase 6. Post-incident (weeks 2-12)

Once operations are restored, the post-incident work:

• Forensic report finalized
• Root cause documented
• Controls updated to prevent recurrence
• Customer notifications executed per legal requirement
• Regulator notifications executed
• Insurance claim progressed
• Lessons learned documented
• IR plan updated

#The recovery timeline by organization size

Typical recovery timeline from ransomware event, assuming reasonable backup hygiene:

Small organization (50-500 employees).

• Recovery to minimum business function: 3-7 days
• Full recovery: 2-4 weeks
• Incident cost: $500K-$3M

Mid-market (500-5000 employees).

• Recovery to minimum business function: 5-14 days
• Full recovery: 4-12 weeks
• Incident cost: $2M-$15M

Enterprise (5000+ employees).

• Recovery to minimum business function: 7-30 days
• Full recovery: 8-24 weeks
• Incident cost: $10M-$100M+

Costs include business disruption, IR services, customer notifications, legal, regulatory fines, and increased insurance premiums.

#The insurance reality

Cyber insurance is still a useful backstop. But 2026 underwriting is strict.

• Premiums up 40-200% over 2020 levels
• Coverage limits reduced
• Ransomware-specific sub-limits common
• Exclusions expanded (nation-state attribution, war, systemic events)
• Coverage denial rates rising

Carriers now audit applicants more thoroughly. Your security questionnaire answers are contractual statements. Misrepresentation voids coverage.

Before relying on insurance:

• Verify your current MFA deployment matches your application
• Verify your current backup posture matches your application
• Verify your current EDR coverage matches your application
• Document any deviations and notify the carrier

Breach counsel during claim. Essential. Carriers prefer certain counsel, certain forensic firms. Coordinate early.

#Specific 2026 patterns to know about

#Affiliate drift

RaaS affiliates switch groups fast. An attacker who hit you might have been LockBit affiliate in 2024, Akira affiliate in 2025, and RansomHub affiliate in 2026. TTPs persist across the affiliate. Group attribution is less useful than technique attribution.

#VPN appliance exploitation

The most common initial access vector in 2025-2026. Fortinet FortiOS, SonicWall, Cisco ASA, Citrix NetScaler. Every month there's a new advisory. Every quarter there's a mass-exploitation campaign. If you operate a VPN appliance, you need to be on top of advisories within 72 hours.

#Help desk social engineering

Scattered Spider's signature move. They call the help desk, claim to be a locked-out executive, convince the operator to reset MFA or the password. Defense: help desk procedures require callback verification, manager approval for privileged account modifications, video verification for C-suite accounts.

#Cloud-tenant ransomware

Not encrypting files. Encrypting cloud tenants. Deleting cloud resources. Disabling cloud admin access. AWS, Azure, GCP accounts compromised and ransomed directly. Recovery is harder than traditional file encryption because there's no backup to restore to if the cloud tenant is destroyed.

#Backup-system targeting

Attackers spend 1-14 days in the environment specifically looking for backup infrastructure. Veeam servers. Commvault. Cohesity. They don't encrypt production until they've destroyed or encrypted the backups. Backup segmentation + immutability is survival.

#Running an exercise before you need one

The tabletop is the playbook test. Every covered entity, every financial firm, every CMMC contractor, every SaaS vendor with a compliance program should run one annually. The gap between the paper plan and the actual response is always bigger than leadership expects.

Typical tabletop structure:

• 3-4 hours
• Incident Commander, Communications Lead, Forensic Lead, Legal, Recovery Lead all present
• Scenario injected in phases (initial detection, containment decisions, payment decision, recovery)
• After-action review identifies gaps
• Plan updated, exercise re-run in 6-12 months

We run these as part of most engagements. The before-and-after comparison is always significant. An organization that hasn't tabletop'd in two years is not ready. An organization that runs quarterly tabletops recovers measurably faster.

#Working with us

We run ransomware readiness engagements focused on prevention, detection, and response preparation. We are not incident response first-responders (we don't staff a 24/7 SOC for active events). We're the firm you call before you need an IR firm.

The readiness engagement covers:

• Gap analysis against the ransomware control framework
• Backup architecture review
• IR plan development or refresh
• Tabletop exercise facilitation
• Segmentation + PAM assessment
• Insurance application review

For active ransomware events, we have partner relationships with specialized IR firms who handle active response. We'll make the introduction.

Valtik Studios, valtikstudios.com.