Network Segmentation: How to Stop Ransomware

Returned from DefCon last week—still on a high from the hardware hacking village. But as much as I love tearing apart embedded systems, today I’d rather complain about something absolutely critical: network segmentation. Because let’s face it, ransomware isn’t slowing down, and too many businesses are still getting it wrong!

Quick Take

If you don’t have time to read it, here’s the deal:

• Network segmentation can prevent ransomware propagation.
• If one segment is hit by ransomware, the rest of your infrastructure remains insulated.
• So, flat networks = disaster waiting to happen.
• Data is trained up to Oct 2023.
• Zero-trust architecture is here to stay. It works.

Now for the details, for those who need them — let’s dive in.

What is Network Segmentation?

In the ‘90s, we dealt with voice and data multiplexing over PSTN. The networks were basic, yes. But security? Basically non-existent. Everything was open. Any device could communicate with any other device — think of an office party without bouncers.

Fast forward to today. Many networks still operate that way.” All I did always came back and intercreated with the rest of the outside world. And that’s the reason ransomware goes like wildfire.

Network segmentation is the best practice of doing the exact opposite.

• You segment your network into smaller, controlled areas.
• Devices in one zone cannot communicate freely with devices in another.
• Firewalls, VLANs and access control lists (ACLs) determine what can talk.

It’s akin to putting doors and security checks in your office. If malware enters one room, it cannot wander into the whole building.

How It Helps Block the Spread of Ransomware

I witnessed this myself with SQL Slammer in 2003. That worm was moving so quickly it infected thousands of machines in mere minutes. Why? Because networks were not segmented. Everything was open — any infected server could fire its payload across the entire environment at once.

One area where this is no longer true is ransomware. It progresses laterally with the help of exploits, stolen credentials, or simple misconfigurations. Segmentation halts (or at least stifles) that movement.

Here’s how:

• No more isolation of critical systems. Your billing database doesn’t need direct access to the printer network.
• Containment of compromised devices. If Bob from Accounting accidentally downloads ransomware, it won’t leap across the network.
• Production doesn’t touch IoT and guest networks. Yes, if you have a smart fridge, it should be on a different network.
• Zero-trust principles are in effect. Before any connection can be established, it must be validated. Not everything inside your network is trustworthy.

We worked with one bank that had an entirely flat network. Just one phishing email — one bloody click — and then the attacker had their domain with lateral movement admin access all around. In their new segmentation, the same type of attack would not have progressed past the first compromised machine.

Network Segmentation Best Practices

I know — segmentation sounds complex. It can be. But when done correctly, it’s among the best defenses available against ransomware, period.

Here’s how to do it properly:

1. Step 3: Organize and Separate Your Data
   • Identify Critical Assets (finance, IP, backup, etc.)
   • Enclave them from other user traffic.
2. Restrict Lateral Movement
   • Apply segmentation policies between network segments
   • Least privilege access—permit communication only when needed.
   • (SMBv1? Kill it. Now.)
3. Separate User Roles Properly
   • HR should not have direct access to DevOps servers.
   • Interns should not be on the same network as production.
   • Your CEO’s laptop? The expectation is that it is treated as any other endpoint and secured in the same way.
4. Implement Zero-Trust, No Exceptions
   • Mandatory authentication for each connection — including for internal connections.
   • Implement micro-segmentation (dividing the zones into smaller zones).
   • Inspect and record all traffic between segments
5. Traffic Monitoring & Anomaly Detection
   • When an endpoint in HR suddenly starts to SSH into the production database—that’s not expected.
   • Be on the lookout for indicators of lateral movement, using network-based anomaly detection.
   • Logging is not optional. You should know exactly what’s connected to what.

PJ Networks’ Segmentation Services

We’ve created segmentation strategies for companies that are stuck in the past — like those banks I mentioned earlier. Their original setup? It’s a complete mess, basically an open playground for malware. We broke their networks down into tight zones. No more open access. When ransomware strikes now, it remains contained — like a fire running out of oxygen.

Here’s what we do:

• Comprehensive network audits to uncover segmentation gaps.
• Custom VLAN and firewall configurations based on your risk model.
• Actual zero-trust segmentation (not sales pitches).
• Testing and simulation — we don’t just install it, we stress-test it.

You’d be surprised how many companies are convinced they’re segmented — and aren’t. Having VLANs doesn’t automatically guarantee you security. VLANs are only skin deep without proper access controls.

Bottom line: Segmentation is Essential

The thing is — ransomware is unavoidable. Someone is going to click on the wrong link. Something will get through. The real question is: does your network facilitate the spread of malware?

If your answer isn’t a hell no, you’ve got work to do.

• Flat networks amplify risk. Divided networks minimize it.
• Isolate critical assets. Segment user roles.
• Implement not just zero-trust in name, but in practice.
• If you’re not sure of where to begin — we do. We’ve done it for us, and we can do it for you.

Because honestly? I’m tired of watching good companies go down on that which could have been avoidable.”

Time to fix that.