The Writing King Your Ethical Ghostwriter. Your Story, Done Right.

The Ransomware Years: When Laptops Became Bricks

TL;DR

Ransomware turned individual machines into unrecoverable bricks, but it never took the network, because the network was built to deny it. Across roughly 1,500 desktops and laptops at a major national retailer, deliberate segmentation plus per-machine firewalls kept every ransomware infection local to the machine that clicked. The lesson: you cannot prevent every click, so you architect for the click you cannot prevent.

Ransomware hit us hard, and it hit us the way it hits everyone: through people. Somebody opened a link. Somebody opened an email attachment. And boom, their machine was done. Not encrypted-with-a-countdown-timer done, the way ransomware later evolved. These machines were bricks. Literally unrecoverable. Wipe, reimage, restore what you can, apologize for what you cannot.

We were running a fleet of roughly 1,500 desktops and laptops, Windows 2000 era, across the operation. At that scale, some percentage of people will always click. The math is unforgiving: 1,500 users, each receiving daily email, each one click away from bricking their machine. Prevention alone was never going to hold that line.

Why the bricks stayed local

What saved us was architecture. The network was deliberately segmented, and the workstation population lived inside its own zone. When a machine detonated, the blast radius ended at the segment boundary. The infection could not walk from the workstation network into the server infrastructure, and per-machine firewalls kept infections from hopping laterally between neighbors.

So the ransomware experience, awful as each incident was, stayed retail rather than wholesale. One brick at a time. A user loses a machine and a day. The company never lost the network, never lost the servers, never faced the scenario that destroys businesses: ransomware moving system to system through an open interior.

That containment was not luck. The segmentation existed because the network was designed by people who assumed compromise. The question the design answered was never whether a machine would get infected. It was what an infected machine would be able to reach. The answer we built was: almost nothing.

The grind nobody writes about

Containment kept the incidents small, but small incidents at fleet scale still add up to a permanent operational tax. Each brick meant a technician, a reimage, and the delicate conversation about what the user kept on the local disk. In that era, the answer was often “everything,” and the ransomware did not encrypt it for ransom, it simply destroyed it. Those losses converted more employees to disciplined file-server storage than any policy memo ever had. Pain is a curriculum.

The reimaging pipeline itself became infrastructure. When infections are a question of when rather than if, machine rebuilds stop being an emergency procedure and become a production line: standard images, automated restores of the sanctioned data locations, a known number of hours from brick to desk. Organizations that treat every compromised machine as a bespoke crisis exhaust themselves. We industrialized the response, and the incidents faded into operational noise, which is the correct final state for a threat you cannot eliminate.

You cannot prevent every click. You architect for the click you cannot prevent.
Share on X

The two-layer lesson

The pattern that worked was boundary plus host. Segmentation is the boundary control: it decides what an infection can reach beyond its zone. Per-machine firewalls are the host control: they decide what a machine will accept from its neighbors inside the zone. Either one alone leaves a gap. Segmentation without host controls means one infected machine can sweep its own segment. Host controls without segmentation means one misconfigured machine exposes the interior. Together, they reduced every incident to a single machine and a reimage.

Modern ransomware is more sophisticated than what bricked our fleet; it hunts for lateral movement, harvests credentials, and targets backups. But the defensive geometry has not changed. The organizations that survive ransomware today are the ones where the click cannot reach anything that matters, and that is a design decision made long before the click happens.

For the executives

If you run a company, the question for your IT leadership is not whether your people will click. They will. The question is: when one of our machines is compromised at 2 PM on a Tuesday, what can it reach by 2:05? If the answer involves a hesitation, your network is one email away from a very different kind of day. And if you are an executive who has lived through that day and wants to write about it, the story is in the architecture decisions, not the malware. Anyone can describe ransomware. Very few people can explain why theirs stopped at one machine.

One more update for the modern reader. Today’s ransomware would not settle for the machine; it hunts credentials, moves laterally, exfiltrates before encrypting, and goes looking for your backups specifically. Every one of those behaviors is an argument for the same architecture that saved us: segmentation limits the hunt, host controls slow the movement, and backups belong on infrastructure the workstation population cannot reach at all. The attackers upgraded. The geometry did not.

For more from this series, see the The Cybersecurity Hub: breaches, audits, and hard-won security lessons from four decades in the trenches.

The Guides That Get Your Book Written, Published, and Sold

Four short, practical guides on writing, publishing, and selling your book, plus the occasional note when there's something worth your time. No fluff, no daily inbox clutter. Drop your email and they're yours.

We use MailerLite to manage our list and send these emails. Your address is used only to send you what you signed up for. We will not sell it, share it, or use it for anything else, and you can unsubscribe anytime.

Frequently Asked Questions

How does ransomware spread through a company network?
Typically it enters through a single user action, a malicious link or attachment, then attempts lateral movement to other machines and servers. Flat networks let it travel freely; segmented networks confine it to the zone where it detonated.
Does network segmentation really stop ransomware?
It stops ransomware from becoming an enterprise event. Across a fleet of about 1,500 machines, segmentation plus per-machine firewalls kept every infection confined to the machine that clicked. The machines were lost; the network never was.
What should executives ask their IT teams about ransomware?
Ask what a compromised workstation can reach in the first five minutes. The answer reveals whether the network is architected for containment or is one click away from a company-wide incident.

📁︎ Cybersecurity

🏷︎ Incident Response🏷︎ Ransomware🏷︎ Malware🏷︎ Network Segmentation

📝 Disclaimer

The views and opinions expressed in this blog post are solely those of Richard Lowe and are based on personal experience and research. This content is for informational purposes only and should not be construed as professional legal, financial, accounting, or business advice. Always consult with qualified professionals before making important business or legal decisions. Richard Lowe is not a lawyer, accountant, or licensed professional advisor, and this content does not establish any professional relationship.