Ransomware remains the largest financial threat to organizations in 2026. The key factor determining the scale of damage is not the initial access method but the attacker's ability to move freely through the internal environment. Network micro-segmentation directly addresses this problem — limiting the scope of an attack to a single workload or segment rather than allowing ransomware to encrypt the entire environment.
How Ransomware Moves Through Your Network
Modern ransomware attacks are not single events — they are multi-stage operations that can last from several days to several weeks. The anatomy of a typical attack follows this sequence: initial access (via phishing, exploitation of a public-facing service, or compromised credentials), privilege escalation, environment reconnaissance, lateral movement, data exfiltration, and only then encryption.
Lateral movement techniques used by ransomware groups are well documented in the MITRE ATT&CK framework. The most common include: PsExec and WMI for remotely executing processes on other hosts, RDP (Remote Desktop Protocol) for direct access to Windows systems, SMB share enumeration and access to network shares, Pass-the-Hash — reusing stolen NTLM password hashes without knowing the original password, and Kerberoasting — attacks on Active Directory service accounts to obtain domain credentials.
The dwell time before encryption is critical. According to Mandiant and CrowdStrike data, the average attacker dwell time before triggering encryption is 4–5 days. During this period, attackers map the network, identify backup systems (to encrypt or destroy them first) and compromise administrative accounts. Organizations without network segmentation have no technical barrier slowing this process.
Why Traditional Segmentation Falls Short
Traditional VLAN-based network segmentation is insufficient for several reasons fundamental to the architecture of that solution. VLANs restrict traffic between segments at the network level, but east-west traffic within a single VLAN is completely unrestricted. If a user workstation and a file server belong to the same HR VLAN, an infected workstation has direct access to all resources on the file server.
Perimeter firewalls protect the boundary between the internal and external network, but do not inspect lateral traffic between internal hosts. An attacker who gained access to one workstation through phishing operates entirely outside the perimeter firewall's field of view — they can freely communicate with other systems on the internal network.
The limitations of traditional segmentation are particularly visible in attacks against OT (Operational Technology) systems or hybrid environments combining on-premises networks with cloud. Firewall rules based on IP addresses are brittle — IP addresses change, virtual machines migrate between hosts, containers start with dynamic addresses. Security policies based on network location cannot keep pace with a dynamic environment.
What Is Microsegmentation
Microsegmentation is a network security approach in which access controls are applied at the level of individual workloads (virtual machines, containers, processes), not entire network segments. The key difference is that security policies are tied to workload identity rather than to network location — IP address or VLAN membership.
In practice, this means each workload can only communicate with explicitly permitted communication peers, regardless of its position in the network topology. The default rule is deny for all communication flows not explicitly permitted in the policy. This approach applies the principle of least privilege to network traffic.
There are three main technological approaches to microsegmentation. Network-based segmentation (for example, Cisco TrustSec with SGT — Security Group Tags) applies labels to network traffic at the switch and router level. Host-based segmentation (for example, Illumio Core, Guardicore) installs an agent on each workload and controls traffic at the operating system network stack level. Identity-based segmentation (for example, Elisity) assigns policies based on device and user identity rather than IP addresses. Each approach has its advantages in different environments — the choice depends on the infrastructure, requirements, and maturity stage of the organization.
How Microsegmentation Stops Ransomware
Microsegmentation directly neutralizes the key lateral movement techniques used by ransomware groups. When each workload can only communicate with explicitly permitted peers, a compromised employee workstation cannot: establish RDP connections to other workstations, access SMB on file servers (unless explicitly permitted), connect to domain controllers via administrative ports, or reach backup systems.
In a practical example: the finance segment is isolated from the HR segment, and both segments are prohibited from communicating with backup servers outside dedicated backup windows via specific ports. Ransomware that reached a workstation in the finance segment via phishing can encrypt the local disk of that one workstation — but cannot reach the finance department's file server (no permitted flow exists), cannot reach the HR segment, and cannot reach backup servers. The blast radius is limited to one device instead of the entire organization.
Protecting backup servers is particularly important. Ransomware groups know that organizations with good backups can refuse to pay a ransom and restore their environment — so they specifically hunt for backup systems first. Microsegmentation allows backup servers to be isolated so that the only permitted inbound connections come from dedicated backup agents on protected workloads — no other connection is possible.
Another key area is protecting Active Directory domain controllers. AD is the "crown jewel" for ransomware attackers — compromising a domain administrator account gives access to all systems in the environment. Microsegmentation restricts access to domain controllers exclusively to workloads and accounts that genuinely need it, dramatically reducing the attack surface on AD.
Getting Started with Microsegmentation
Microsegmentation deployment should be approached iteratively — attempting to segment the entire environment at once is a recipe for disrupting production operations and project failure. The following proven step-by-step approach works in practice:
- Phase 1 — Visibility: Before writing any policy, you need to know who is communicating with whom. Deploy a flow mapping tool in observation mode. Spend 2–4 weeks collecting data on all network flows in the environment. Without this knowledge, you cannot write accurate policies and risk blocking legitimate communication.
- Phase 2 — Start with the most critical assets: The first iteration of segmentation should protect the highest-value, highest-risk assets: backup servers, domain controllers, financial systems, customer data databases. Isolating these systems delivers an immediate improvement in ransomware resilience.
- Phase 3 — Default deny for new workloads: Configure the microsegmentation tool so that newly deployed workloads have no permitted communication flows by default (default deny). This enforces documentation and approval of every required communication at the time a new system is deployed.
- Phase 4 — Iterative expansion: Gradually extend microsegmentation to additional systems and segments. Prioritize segments based on business risk. Regularly verify that policies match current communication flows — IT environments change dynamically.
Microsegmentation is one of the foundations of Zero Trust network architecture. Combining microsegmentation with identity controls and device management creates a layered defence that radically increases the cost and complexity of a successful ransomware attack.
How ExColo Can Help
Microsegmentation deployment requires deep understanding of the customer's network environment, experience in designing security policies, and change management skills. Incorrectly designed microsegmentation can disrupt production applications — the most common cause of failure in this type of project.
The ExColo team offers comprehensive network microsegmentation services: environment readiness assessment, communication flow mapping, segmentation policy design, production deployment and testing, and IT team training in policy management. We work with on-premises, cloud, and hybrid environments.
Contact us to discuss how microsegmentation can reduce ransomware risk in your organization: ExColo contact form.
