Ransomware readiness
Quarterly readiness walk for executives, defenders, and the people who keep the lights on. Modern ransomware steals first, encrypts maybe, and most damage happens after the first signs were already visible.
Ransomware is no longer a single event. It is the visible part of a chain that has often been running for weeks. Initial access, persistence, privilege escalation, identity compromise, exfiltration, then sometimes encryption. The encryption is the part that grabs headlines. The theft is the part that decides whether you have a regulatory crisis and a public-trust crisis on top of an operational one.
Most ransomware damage happens after the first signs were already visible.
Recovery is a race between containment certainty and organisational hesitation. The hesitation usually wins because the controls were not pre-decided, the authority chain was not named, and the person who could declare the incident was waiting for someone more senior to confirm it was real.
Readiness is not paranoia. It is pre-decided answers. Who calls the incident? Who authorises a payment? Who talks to staff at 06:30? Where are the backups? When were they last restored, not just verified? If your identity provider is gone, can you log in to recover it? If your runbook lives in the wiki and the wiki needs SSO, do you have a runbook?
The system can be restored. Trust takes longer. Many organisations discover during ransomware that they cannot authenticate their way back into recovery. The runbook is behind the IdP. The IdP recovery email is in the IdP. The backup admin is also the cloud billing owner. The estate-wide token revocation has never been rehearsed. The corporate comms channel is the one the attacker is reading.
If you find yourself answering “we’d figure it out”, that is the answer. You are not ready.
Run this once a quarter. Walk it with executives, not just defenders. Any unchecked critical item is an accepted operational risk. Make sure someone senior is consciously accepting it, by name, in writing.
Checklist
Backups you can actually use
- Tested a full restore in the last 90 daysCriticalNot a sample file. A whole system. Time it. Write down how long it took.
- At least one backup copy is offline or immutableCriticalIf your attacker can encrypt it, it is not a backup.
- Backup admin credentials are not your normal admin credentialsCritical
- Backup coverage matches your actual critical-system list
- Recovery point objective is written down and your team agrees with it
- SaaS data (mail, files, CRM) covered by a backup you controlThe vendor's retention is not your backup.
Identity and cloud admin
- Break-glass identity accounts exist, are stored safely, and are tested quarterlyCriticalTested means someone logged in with them. Not "documented."
- IdP recovery process is documented and the steps are runnable without the IdPCritical
- Cloud administrator identities are separate from day-to-day identitiesCritical
- Phishing-resistant MFA (hardware key or platform passkey) on every adminCriticalPush approval and SMS are not enough. MFA fatigue works.
- Conditional-access emergency bypass process exists and is logged when used
- SaaS tenant recovery contacts validated for every business-critical platformMicrosoft, Google, Okta, GitHub, Salesforce, Slack. Names and out-of-hours numbers.
- Federation and SSO failure mode is known and survivable
- OAuth app grants and consent policies audited in the last 90 daysMaturity
Trust recovery
- Critical recovery documentation is available offline and outside the IdP that may be compromisedCriticalIf your runbook lives in the wiki and the wiki needs SSO, you have no runbook.
- Mass token and session revocation across the estate has been rehearsedCritical
- Trust restoration sequence is written down (what comes back online, in what order)Critical
- Cloud platform billing and tenant-owner identities are recoverable separately from technical adminCriticalThe technical admin and the billing owner go down together if they share a person.
- Internal comms channel survives loss of the corporate IdPCriticalSignal, a pre-shared bridge, or a phone tree. Not "we'll use Teams."
- Vendor and platform recovery contacts can authenticate you without your own IdPCritical
- Emergency MFA reset procedure rehearsed in the last 90 days
- Responder identity verification path that does not depend on the IdP
Detection and time
- EDR on every server and every endpoint that mattersCritical
- Critical alerts have been tested out-of-hours in the last 90 daysCritical
- Log retention windows are written down and meet investigation needs
- Backlog of detection-engineering items is reviewed monthlyMaturity
- Identity anomaly alerts (impossible travel, new device, mass-grant, mass-disable) are activeCritical
- High-volume outbound transfer alerts are tuned and routed to someone awake
Containment ability
- Production network can be cut from corporate without a meetingCritical
- Tier-zero AD assets are inventoried and access is limitedCritical
- EDR network-isolate has been used on a real host this quarterCritical
- Process exists to revoke a privileged credential in under 10 minutesCritical
- Remote management and deployment tooling can be paused estate-wide in one actionCriticalRMM, GPO push, MDM, CI/CD deploy. All of it.
- Third-party and vendor network paths can be cut without breaking the rest
Data theft and extortion
- Sensitive data locations are mapped well enough to scope a theft in hours, not weeksCritical
- Process exists for rapid assessment of stolen-data impact (records, fields, individuals)Critical
- Designated channel and named person for any attacker contactCriticalNo one freelances a reply. Counsel and IR firm before any response.
- Regulatory clocks for data theft (not just breach of encryption) are known by nameCritical
- DLP and outbound monitoring tuned for credential, source-code, and bulk PII egress
- Position is decided in advance on attacker pressure tactics (leak site, customer contact, regulator threat)
- Customer notification template exists and has been legal-reviewedMaturity
What actually breaks
- Anyone on the response team can declare an incident without waiting for executive sign-offCriticalMost ransomware damage happens before anyone has the authority to declare.
- First-hour decision authority is named, not assumedCritical
- Executives have been briefed that they will be asked for decisions with incomplete informationCritical
- Specific roles have pre-granted authority to take production offline for containmentCritical
- Out-of-hours, weekend, and holiday declaration authority is named and reachableCritical
- Wait-and-see thresholds are written down and short
- Recovery time estimates are based on past tabletops with a hesitation multiplier, not vendor figures
People, roles, and money
- Incident response firm on retainer with after-hours numberCritical
- Cyber-aware legal counsel identified by nameCritical
- Decision tree for ransom-payment authority is signed off and current with sanctions guidanceCritical
- Internal comms lead named for incident scenarios
- Executives have walked a destructive scenario this year, not just read the deckCritical
- Cyber insurance policy current and you have read the playbook clause
- Insurer's panel IR firm is one you would actually want on the bridgeMaturity