Want to stop ransomware? Don’t allow internet access from secure locations. Use a citrix session or terminal services session where internet access is required.
How would this work?
(User secure station) —> (TS Session) —> (DMZ Internet terminal server.)
But I can’t afford a dedicated server!
If you had to do this at a small scale (read: cheaply) this could in theory be done with a local unauthenticated (read: non-domain joined) virtual machine using a bridged adapter. This would offer some segmentation between the guest, host, and greater authenticated network. You would create a DMZ vlan where VLAN 199 was DMZ, and 100 was internal. Then simply assign the virtual machine to utilize the DMZ VLAN . The set ACL’s to prevent the internal VLAN 100 from talking to any untrusted network (such as the Internet).
You would still apply all of your standard security controls to this virtualized image (AV, DLP, Web Filtering, updates, etc) and you would disallow the use of bidirectional sharing to prevent the guest from encrypting files on the host.