How to Stop Ransomware Before It Disrupts Operations

Active ransomware groups surged 49% year over year in 2025, leading to record-high ransomware victim postings in Q4 of last year. Meanwhile, the average cost of a ransomware attack now exceeds $5 million, but the indirect toll is much higher.  

Organizations typically face business disruptions lasting more than three weeks from ransomware attacks as adversaries target the systems that underpin business continuity, like patient scheduling platforms, production lines, supply chains, or financial processing infrastructure. As a result, 86% of cyber incidents now cause operational downtime, reputational damage, or both. In the age of AI-accelerated attacks, it will only get harder for defenders to reactively contain ransomware threats.  

When downtime is a deliberate ransomware campaign tactic – not a side effect – security teams need to break the attack sequence before the damage is done. We’ll walk through how ransomware attacks typically unfold, identify the key inflection points for protecting business continuity, and outline the controls organizations can implement to proactively prevent the spread of ransomware.  

How Modern Ransomware Attacks Drive Operational Downtime: Real-World Examples  

The shift to deliberate operational disruption is documented across recent high-profile attacks. These incidents share a consistent pattern: attackers cause disruption by moving freely through the network until they reach the systems organizations can least afford to lose. 

4 of the most recent disruptive ransomware attacks that illustrate this trend include:  

1. Jaguar Land Rover (2025): A hacker group calling itself “Scattered Lapsus$ Hunters” claimed responsibility for an attack against the luxury car manufacturer that ultimately cost roughly $2.8 billion. The group leveraged social engineering and credential theft to gain initial network access, then moved laterally, escalating privileges until they reached critical infrastructure. Global production was halted for weeks with the attack’s ripple effects even impacting the broader UK economy – a reminder that operational disruption in manufacturing cascades across supplier and customer relationships in ways that are often difficult to fully quantify. 
2. Kettering Health (May 2025): The Interlock ransomware group targeted Kettering Health, a system responsible for 14 medical centers and dozens of clinics across Ohio. Attackers knocked critical clinical systems offline before exfiltrating sensitive patient data – forcing staff to cancel procedures, turn away patients, and revert to manual processes. Less than a month after the attack, a class-action lawsuit was filed alleging that patients missed scheduled treatments and were unable to access prescriptions as a result of the disruption.  
3. Asahi Group Holdings (October 2025): The Qilin ransomware gang used stolen credentials for initial network access, then relied on native administrative tools to move laterally, execute remote code, and establish persistence – all without triggering detection. The result was widespread operational disruption across one of Japan's largest beverage manufacturers, causing nationwide product shortages.  
4. Marks & Spencer (2025): The retailer’s online operations were disrupted for weeks following a ransomware attack carried out by the DragonForce group, ultimately costing an estimated $400 million in lost profit and additional expenses. The damage extended well beyond the immediate incident: supply chain disruption, customer trust erosion, and sustained reputational impact compounded the financial toll over months. 

The through-line across these incidents? Regardless of how they gained an initial foothold, ransomware groups were able to move laterally across the network with little to no friction. On the other hand, attackers who are contained at their initial entry point cannot reach patient scheduling platforms, production systems, or financial infrastructure – this is precisely why preventing ransomware requires preventing lateral movement.  

Ransomware Attack Stages: Reconnaissance to Ransom Demand 

Like most cyber incidents, ransomware attacks typically occur in six stages: reconnaissance, infection, escalation, scanning, encryption, and ransom. Understanding what happens at each stage – and where security teams can effectively intervene to protect business continuity – is key to avoiding ransomware-related operational disruption.  

Stage 1: Reconnaissance 

Attackers start by studying the environment before taking visible action – to whatever extent possible, they identify high-value assets, map network dependencies, and locate the operational chokepoints that would cause maximum disruption if taken offline. As attackers increasingly leverage AI, this activity is happening more quickly and quietly than ever. However, a closed-by-default network architecture meaningfully reduces what attackers can see and enumerate, making it harder for ransomware groups to pinpoint critical assets.  

Stage 2: Infection  

Ransomware actors most commonly gain initial access through phishing, vulnerability exploitation, or stolen credentials. The credential-based entry path is particularly dangerous: when attackers log in rather than break in, legitimate credentials bypass perimeter defenses entirely and the intrusion looks like normal user activity, allowing hackers to live off the land undetected. Meanwhile, AI-driven vulnerability discovery via tools like Mythos and Daybreak are making it easier for attackers to uncover and exploit vulnerabilities at machine speed. While security teams have to assume breaches will occur, proactively reducing the attack surface by dynamically closing privileged ports with just-in-time (JIT) MFA, implementing granular network segmentation, and applying identity-based controls helps minimize exposure. 

Stage 3: Escalation and Lateral Movement  

After establishing a foothold, attackers work to expand their access – moving laterally through the environment, escalating privileges, and positioning themselves to reach the systems that underpin operations. This is where the operational impact of an attack is largely decided. In this era of AI-accelerated attacks, threat actors can begin moving laterally in as little as 27 seconds and a single compromised system exposes 85% of the typical environment within one hop. Fortunately, this link in the attack chain represents the primary window of opportunity for defenders to intervene. Controls that structurally limit unauthorized movement, like identity-driven microsegmentation, can prevent attackers from leveraging a minor foothold into enterprise-wide crisis. 

Stage 4: Scanning 

With broader access established, attackers have the internal network visibility that reconnaissance could only approximate. Rather than mapping the environment from the outside, threat actors with elevated access across systems and no perimeter standing in the way can more effectively scan for high-value targets at this stage. The malware enumerates the environment at a granular level, identifying specific files, directories, databases, and connected systems to target in the deployment phase. Backup and recovery infrastructure, shadow copies, and other disaster recovery systems are often deliberately sought out at this stage. Least-privilege access controls and microsegmentation that isolates backup infrastructure help limit what any compromised account can see and reach.

Stage 5: Deployment 

Most ransomware attacks culminate in payload deployment – but the ransomware itself is only part of what makes this stage so damaging. Attackers execute on everything that scanning revealed: deploying the payload, deleting backups, locking out administrators, and exfiltrating data, often simultaneously. The combined effect is deliberate operational disruption with no clear recovery option, maximizing the pressure on organizations to pay. But when controls are enforced to prevent escalation and lateral movement, they directly limit the scope of damage in this final phase. An attacker who cannot move laterally or ride privileged access to critical resources would have already hit a dead end.

Stage 6: Ransom 

With operations disrupted and recovery options potentially compromised, attackers demand payment, typically combining ransom demands with threats of data exposure and public naming. Downtime adds clear pressure: organizations facing operational paralysis pay more, and faster. Even those with intact backups are likely to face long recovery timelines, and every hour of downtime comes at a hefty cost. Organizations that architect for containment with microsegmentation, identity-based controls, and just-in-time MFA break the attack sequence before disruption and ransom demands occur. 

How to Stop Ransomware from Spreading: Best Practices to Break the Attack Chain  

Detection-based security strategies identify threats after malicious activity is already underway. But when lateral movement begins in seconds and it still takes months to detect the average breach, security teams need to build containment into the network architecture, proactively blocking the spread of ransomware before initial access even occurs. Prioritizing these four approaches allows organizations to build and maintain a proactive ransomware defense posture:  

1. Microsegmentation: Block Lateral Movement to Stop Ransomware Attacks Before They Escalate  

Comprehensive microsegmentation locks down the default pathways that ransomware attackers leverage to escalate a minor foothold, ensuring communication between assets must be explicitly permitted by policy. When no implicit trust exists between systems, ransomware attacks are stranded at the initial entry point with no path forward. A compromised endpoint cannot reach a domain controller or other critical infrastructure, and an infected workstation cannot communicate with backup infrastructure. The blast radius of any breach is structurally constrained to the initial point of compromise – no detection and response workflow required. 

2. Identity-Based Access Controls: Enforce the Principle of Least Privilege Everywhere  

Microsegmentation governs what can be reached; granular identity-based access controls govern who (or what) can reach it, and under what circumstances. Stolen credentials are, by definition, legitimate – perimeter defenses cannot distinguish a threat actor authenticating with a valid password from the real user, and detection-based tools aren’t designed to identify an attacker masquerading as a legitimate identity. The solution? Apply narrowly scoped access controls on top of a tightly segmented architecture. Identity-based access controls that enforce least-privilege access at the network layer ensure every identity – human or machine – can only reach the assets that are operationally necessary so stolen credentials are no longer an all-access pass for ransomware groups.  

3. Just-in-Time MFA at the Network Layer: Close the Privilege Escalation Highway 

Persistent privileged access is one of ransomware's most reliable pathways to operational systems. JIT MFA replaces standing privilege with time-bound, purpose-bound access, eliminating the broad, always-on permissions that attackers inherit when they compromise a privileged account. Network-layer MFA even allows security teams to enforce verification at the protocol level itself: RDP, SMB, WinRM, and SSH – the protocols that more than 70% of threat activity flows through – should all require real-time authentication before temporary access is granted.  

4. Automated Policy Creation and Enforcement: Build an Adaptive Ransomware Defense  

In dynamic environments where new systems come online, workloads shift, and access requirements change continuously, a defense that requires manual upkeep will develop gaps – ransomware groups will only become more adept at finding them in this era of AI-accelerated attacks. With a deterministic, human-on-the-loop automation engine powering policy creation and enforcement, controls adapt in lockstep with the network: continuously learning real behavior, enforcing least-privilege access based on what is actually happening in the environment, and updating policies as conditions change. In turn, organizations can craft a dynamic defense that keeps the network protected regardless of how quickly it evolves – no policy lag, no misconfiguration windows, and no gaps for ransomware to slip through. 

Block Ransomware Attacks in Real Time: Building a Cyber Resilient Architecture with Zero Networks  

Speed, stealth, and lateral movement are ransomware's greatest weapons; by the time most organizations detect a threat, the window to avoid business impact has already closed. Zero Networks protects what organizations can’t afford to lose with automated, identity-driven microsegmentation that enforces least-privilege access across every asset and identity to contain threats in real time.  

With JIT network-layer MFA and a deterministic automation engine, Zero closes the coverage gaps where ransomware actors sneak through while aligning policies to verified business need, ensuring comprehensive protection doesn’t add operational complexity.  

See for yourself how Zero Networks proactively stops ransomware from spreading and strengthens cyber resilience – request a demo.