Skip to content
Singahi

Managed · checklist

The ransomware readiness checklist

5 min read

Share
Get the PDF

In this guide

Most organizations do not find out whether they are ready for a ransomware attack until the ransom note appears on their screens. In today's threat landscape, ransomware is no longer just a simple file-encryption problem. Modern attack groups practice "double extortion" (encrypting files while exfiltrating data to leak publicly) and actively target an organization's backups first to eliminate their ability to recover.

To withstand an attack, you must move beyond assurances and evaluate your posture against the four phases of ransomware readiness: keeping threats out, spotting them early, containing the blast radius, and recovering operations.

1. Prevention: hardening the perimeter

The goal of prevention is to increase the cost of entry for attackers. The most common vectors are public-facing vulnerabilities, weak remote access controls, and phishing.

  • Immutable backups with regular restorations: Implementing the 3-2-1 backup strategy is no longer enough if your backups reside on the same network domain. Attackers compromise active directories and systematically delete backups. You must maintain at least one copy of your backups offline or in an immutable (Write Once Read Many / WORM) cloud vault. Crucially, these backups must be tested via regular restoration drills to prove they are recoverable.
  • Enforced multi-factor authentication (MFA): MFA must be mandated across all entry points, including corporate email accounts, VPN gateways, remote desktops (RDP), and administrative consoles. Wherever possible, transition to phishing-resistant MFA (such as FIDO2 passkeys) to prevent session-hijacking attacks.
  • Risk-based vulnerability patching: Attackers monitor public gateways (firewalls, VPNs, remote access hubs) for unpatched CVEs. Rather than chasing every low-level alert, prioritize patching against the CISA Known Exploited Vulnerabilities (KEV) catalog and ensure public-facing systems are updated within days of a patch release.
  • Least privilege and network segmentation: Restrict local administrator accounts. Ransomware spreads by extracting credentials from memory on one compromised machine and using them to access others. Network segmentation ensures administrative environments are isolated from standard user segments.

2. Detection: identifying early indicators

Before ransomware executes its encryption phase, attackers spend days or weeks conducting internal reconnaissance, harvesting credentials, and exfiltrating data. Spotting these indicators is your best opportunity to stop the attack.

  • Antivirus vs. EDR/XDR: Traditional signature-based antivirus cannot detect fileless malware or attackers using legitimate administrative tools (Living off the Land). You must deploy Endpoint Detection and Response (EDR) or Extended Detection and Response (XDR) agents on all servers and workstations to monitor behavioral anomalies in real time.
  • Secured centralized logging (SIEM): Audit logs from domain controllers, firewalls, and active directories must be forwarded to a centralized security information and event management (SIEM) server. Crucially, these logs must be stored in a read-only state so that attackers cannot clear their tracks during an intrusion.
  • Continuous 24/7 monitoring: Ransomware groups deliberately strike during off-hours, weekends, or major holidays when security teams are understaffed. Having an alert trigger at 2:00 AM does no good if no one is awake to triage it. You need a dedicated SOC team or a managed detection partner monitoring your environment around the clock.

3. Response: containing the blast radius

When an alert flags active lateral movement or mass file modifications, your team must respond immediately according to a pre-defined playbook.

  • An active Incident Response (IR) plan: Your written IR plan must designate an Incident Commander with the authority to make critical decisions. It must outline immediate legal, public relations, and cybersecurity insurance notification steps, and provide alternative out-of-band communication channels (such as Signal or Teams) in case corporate email is compromised.
  • Host isolation playbooks: Security teams must have the tools and training to isolate compromised servers or workstations via EDR software immediately. A clear containment strategy ensures a single infected laptop does not propagate to the domain controller.
  • Sanction compliance and payment policies: The legal landscape around ransomware payments is complex. Paying a ransom to an group listed on the OFAC sanctions list can result in severe legal penalties. Your response strategy should treat payment as a last resort and establish clear legal counsel channels before an incident occurs.

4. Recovery: restoring clean operations

If encryption occurs, your recovery strategy dictates how quickly your business can resume operations and whether you can avoid paying a ransom.

  • Prioritized system recovery order: You must define your recovery objectives (RTO and RPO) in advance. The recovery sequence must start with core identity services (Active Directory and DNS) and database layers before restoring business-facing applications.
  • Clean-room environments: Attackers often leave persistent backdoors or latent malware in backups. Restoring systems directly back into production can trigger a secondary encryption cycle. You must recover systems into an isolated "clean room" environment to scan and verify they are clean before reconnecting them to the network.
  • Regular tabletop simulations: A disaster recovery plan is merely a theory until it is tested. Conduct annual simulation exercises involving executives, legal counsel, and technical staff to run through scenarios, identify gaps in roles, and refine your recovery timelines.

Get the full checklist

The download expands all fifteen points into what "done" looks like and the evidence to capture, so you can score yourself honestly and close the gaps that matter most.

Keep reading

Related resources

ManagedPDF

Board brief: the security of AI adoption

What a board needs to ask about AI adoption: data exposure, new attack surface, vendor and model risk, and the governance to keep it in check.

Read
Compliance

ISO 27001: a practical guide to information security management

ISO 27001 is a management system, not a checklist. Here are the core principles and a seven-step path from gap analysis to certification.

Read
CompliancePDF

The DPDP Act compliance checklist

A plain-language starting point for the DPDP Act, 2023: consent, notice, data-principal rights, security and breach response.

Read

How we can help

Want a hand running this?

If keeping this going is more than the team can carry right now, that is where we come in. Tell us the situation and we'll talk through how it could work, with no obligation.

Get an assessment