Blog

Ransomware Hardening: The Defense No One Is Using

March, 25, 2026

3 minutes read

In this new episode, we return to the topic of hardening. In the previous chapter we talked about hardening—closing doors, not leaving windows open, and not hiding the key under the doormat.

Today I want to ask you something: If your organization were hit by ransomware tomorrow… would you be able to tell how the attack started?

Many imagine something very sophisticated: an extremely advanced hacker, a newly discovered zero-day exposure, or a fantasy-style attack. But the reality is usually much simpler… and therefore more dangerous.

The uncomfortable truth about how ransomware attacks begin

Most ransomware attacks don’t start with anything spectacular. They start with things like: RDP exposed to the internet, a stolen password, users with administrative privileges, endpoints with weak configurations, remote tools without control. None of this is particularly sophisticated. But for an attacker, it’s exactly what they’re looking for.

The ransomware economic model

Ransomware today operates like an industry. There are teams dedicated to malware development, attack operations, ransom negotiation, the sale of stolen access, and even so-called Access Brokers, whose sole job is to find vulnerable organizations and sell that access to ransomware groups.

Why is this especially relevant in LATAM?

Because in the region there are several factors that increase risk:

Hybrid infrastructure (on-prem + cloud + legacy)
IT teams overwhelmed by multiple concerns
Widespread administrative privileges
Remote tools without governance

Every decision, no matter how small—enabling RDP, granting temporary admin rights, or installing a remote tool—seems harmless. But together they create a massive attack surface.

Hardening controls that reduce ransomware risk

Administrative privilege control

Reducing privileges limits lateral movement within the network.

RDP control

Exposed RDP remains one of the most exploited vectors in ransomware attacks.

Governance of remote tools

Tools like AnyDesk or TeamViewer must be centrally managed to prevent them from becoming backdoors.

Restriction of macros and scripts

Many attacks begin with phishing and the execution of malicious scripts.

Secure endpoint configuration

The endpoint remains the point where credentials, malware execution, and lateral movement converge.

How to measure ransomware resilience

Instead of asking whether you have EDR, the right questions might be: How many endpoints have administrative privileges? How many remote services are exposed? What remote tools exist in the environment? What percentage of endpoints follow a security baseline?

These metrics reflect real posture, not just tools.

The real challenge: maintaining hardening

Even when hardening is implemented, something inevitable happens over time: drift, or configuration deviation. Configurations change, exceptions appear, and the environment becomes permissive again. That’s why hardening must be continuous.

In security, we often look for complex solutions, but the greatest impact usually comes from doing the basics well: closing access, reducing privileges, and controlling configurations.

Most attacks don’t require extraordinary vulnerabilities—they just need an open door.