Guide & Checklist

Ransomware Readiness
One-page response guide

This checklist captures the defensive controls, identity safeguards, backups, emergency contacts, and decision frameworks that keep ransomware incidents survivable. Not theory—what matters when your morning starts with “everything is encrypted.”

Isolation & recovery Privilege controls Crisis decision flow

Checklist

The core safeguards

These items shift ransomware from “business-ending” to “containable disruption.”

Backups, restores, and isolation

Offline or immutable backups for critical data
At least one copy not reachable via domain credentials
Time-boxed restore tests (quarterly minimum)
Restore entire business units, not single files
Document RTO/RPO by system
Containment network or “clean room” environment

MFA, privileged access, and CA policies

MFA enforced for admins, not just end users
Local admin passwords rotated every 30–90 days
Privileged identities separated from primary accounts
Conditional Access blocks legacy protocols & TOR exit nodes
No shared mailbox credentials
Disable “impossible travel” exceptions

IR contacts, decision makers, and outside counsel

Named Incident Commander (not “IT general”)
Legal counsel pre-contracted
Insurance provider breach hotline
Forensic vendor retainer
Public relations specialist
Executive decision tree (“power-off authority”)

Operational readiness

What matters before the breach

Detect lateral movement

Ransomware doesn’t start with encryption—it starts with discovery and credential harvesting. Watch privileged logins, SMB enumeration, and automation identities.

Segment admin paths

Separate domain controllers, backup systems, hypervisors, and M365/Workspace admin consoles from general enterprise networks.

Automate quarantine

SOC and EDR must have the authority to isolate endpoints without executive debate.

Ransomware Readiness One-page response guide