Skip to main content
Uncategorized

The Ransomware Readiness Checklist (No Tools Required)

· 6 min read

Most ransomware “readiness” frameworks are five hundred controls long. That isn’t useful. When a determined human attacker is in your network and looking to encrypt everything in 36 hours, your survival comes down to a small number of decisions you made before they arrived.

Here’s the short list. If you’re confident in all of these, you’re in good shape. If you’re not, work down the list in order — the items at the top deliver the most resilience per hour invested.

1. Multi-factor authentication, everywhere

Ransomware in 2026 doesn’t usually start with a zero-day. It starts with a stolen credential — bought from an info-stealer market, sprayed in a credential-stuffing attack, or harvested via a phishing kit. The single biggest control that breaks this chain is MFA on every account that can log into anything important.

“Important” includes: email, VPN, remote access tools (RDWeb, Citrix, AnyConnect), cloud admin consoles, code repositories, identity providers, and SaaS apps holding sensitive data. Don’t forget service accounts and break-glass admins. Don’t allow legacy auth protocols (POP, IMAP, SMTP basic auth) — they’re how attackers bypass MFA.

Hardware keys (FIDO2 / passkeys) for admins and execs. App-based TOTP for everyone else. SMS only as a last resort and never for high-value accounts.

2. EDR on every endpoint and server, alerts triaged

Traditional antivirus is not enough. Modern endpoint detection and response (EDR) tools — Defender for Endpoint, CrowdStrike, SentinelOne, S1, Sophos Intercept X, etc. — detect the behaviour patterns of ransomware operators: living-off-the-land tools, suspicious PowerShell, lateral movement, mass file rename, shadow copy deletion.

The tool isn’t the whole answer. The alerts have to reach a human who acts on them. If you don’t have a 24/7 SOC, at minimum auto-respond to high-severity alerts (auto-isolate the host) and have an on-call rota that can take a call at 2am.

3. Patch internet-facing systems within 7 days

VPN appliances, edge firewalls, web servers, remote access gateways — these are the most common initial access vectors. The CISA Known Exploited Vulnerabilities list is your prioritisation tool: anything on KEV, patch within days, not weeks.

If you can’t patch, isolate. Remove the system from the internet. Put it behind a different control (ZTNA, allowlisted IPs). Don’t let a known-exploited bug sit on your edge for six weeks.

4. Remove local admin from regular users

Most ransomware needs administrative privilege to do real damage — disabling backups, deploying across the network, deleting shadow copies. If your users don’t have local admin, you’ve added significant friction to the attack chain. Use a privilege management tool (or a basic group policy) to allow approved app installs without granting full admin.

5. Email security beyond the default

Whatever your email platform’s premium tier offers (Defender for Office 365 Plan 2, Google Workspace Enterprise) is probably good enough for most SMBs. Larger organisations should add a dedicated email security gateway with attachment sandboxing and URL detonation.

Configure SPF, DKIM and DMARC. Set DMARC to p=reject once you’ve confirmed legitimate senders pass. Enable an external sender warning banner — a one-line config change with a 15% reduction in click rate, on average.

6. Centralised logging with detection content

You can’t respond to what you can’t see. At minimum, send endpoint, server, identity provider, firewall and email gateway logs to a central SIEM or log platform. Use the platform’s built-in detection content as a starting point, then tune for your environment.

The bar isn’t perfect — it’s “we’d see lateral movement before encryption starts.” If you have an EDR with managed detection and response (MDR) bundled in, that covers most of this without a SIEM.

7. A written, ransomware-specific incident response plan

Generic IR plans are not enough. Ransomware has specific decisions that need to be pre-made:

  • Who has authority to take systems offline and isolate the network?
  • What’s the trigger to engage your IR retainer?
  • How do you communicate when email is encrypted? (Out-of-band: Signal, separate phones, an external Slack workspace.)
  • Who decides whether to pay? Almost always: don’t, but the decision-maker should be named, not chosen at 3am.
  • Who briefs the board? Who notifies regulators? Who talks to customers?

The plan should fit on two pages. Long plans don’t get read. Test it with a tabletop exercise at least once a year.

8. An IR retainer with a known number to call

Don’t try to hire an IR firm during an active incident — you’ll pay 5x the rate and they may not be available. Get a retainer set up now with one of the major IR firms (Mandiant, CrowdStrike, Unit 42, Arctic Wolf, BlueVoyant, NCC, etc.) or a regional specialist. Test the escalation path. Make sure the contract covers the kind of incident you’re worried about.

9. Cyber insurance with ransomware coverage

Insurance has tightened sharply since 2022. Expect a security questionnaire and a price that reflects your control posture. The coverage matters: confirm ransomware is covered, what the sub-limits are, what’s excluded, and what the insurer requires for a valid claim (e.g. “you must have MFA on remote access”).

Insurance pays for IR, legal, regulatory fines, and business interruption. It does not save you from the actual operational pain. Don’t treat it as a substitute for prevention — treat it as a financial safety net for when prevention fails.

10. Backups: isolated, immutable, tested

This is the one that decides whether your incident is a bad week or a business-ending event.

Isolated: backups should not be reachable from the production environment with production credentials. A separate cloud account, a different identity provider, an air-gapped tape library, an immutable cloud bucket.

Immutable: ransomware operators have spent years learning to delete or encrypt backups. Immutable backup technology — object lock in S3, immutable snapshots in Azure, dedicated immutable backup vendors — prevents this.

Tested: a backup you’ve never restored is not a backup. Restore something this quarter. Restore your most critical systems annually, in a way that proves you can meet your recovery time objective.

11. Network segmentation

A flat network is a ransomware operator’s dream. Even basic segmentation — separate VLANs for user devices, servers, OT, IoT, with firewalls between — buys you containment time. Modern alternative: zero-trust network access (ZTNA) which makes every request authenticated and authorised, regardless of network location.

12. Tabletop exercises with the executive team

The most under-invested control of all. Spend 90 minutes once or twice a year walking your leadership team through a realistic ransomware scenario:

  • Email is encrypted. How do you communicate?
  • The attacker is demanding $5M. Who decides whether to negotiate?
  • A journalist calls before you’ve notified customers. Who talks to them?
  • It’s been 18 hours and engineering says recovery will take 3 more days. Are you OK with that, or do we change strategy?

You’ll learn more from one good tabletop than from any tool deployment. The leadership team needs to make these decisions on a calm Tuesday afternoon, not under live pressure with a journalist on hold.

Where to start

If you haven’t done any of this: do MFA, EDR and isolated backups first. Those three controls eliminate the simple attack paths and limit the damage when prevention fails.

If you’ve done the basics and want to move from “okay” to “resilient”: tabletop exercises and IR retainer. Most organisations skip the human side and over-invest in tools — the human side is what determines outcomes when an incident happens.

Take the 20-question Ransomware Readiness Assessment → to see where you score across prevention, detection, response and recovery.

Share

Keep reading