The two most common distribution vectors for ransomware are RDP and email.
RDP is relatively easy to secure by interposing a VPN. The email route poses a near intractable threat.
As mentioned under firewalls, a NGFW can do a good job of combating most email threats. Webmail services can be made subject to a custom policy and subjected to deep ssl inspection. This should trap most infected emails. The policy often requires nomination of webmail services and because there are so many some may still slip through. It is difficult to prevent end users from using their own insecure webmail services.
The business’ main email can be protected by mail scanners – there are various services available. The effectiveness of these services is unknown
Virus scanning is in itself imperfect and hit rates for new viruses can be modest leaving open a significant security hole
The only highly effective strategy is browser isolation. This is a difficult technique where the internet browser itself (eg google chrome) is actually running on a virtual machine on an isolated network segment. If a virus is downloaded and opened on that network segment, it will not be able to propagate through the office network but will remain confined to the segment. This can be implemented as a “browser server” which is itself a virtual machine in a unique segment. In the event of infection, the browser server can be instantly rolled back to a safe checkpoint
It is moderately difficult to configure this so that the isolated browser can print. Being able to attach or detach files to email in the main office network poses significant issues.
Simple and cheap browser isolation solutions do not yet exist. It is a key objective for cybersecurity and is a commercial opportunity for a clever developer.
The combination of securing RDP and browser isolation would reduce the ransomware risk to close to a negligible level.