All resources
Resilience May 21, 2026 By Tynrose Secure

Ransomware Readiness: A 24-Point Check

24 concrete controls that decide whether a ransomware attack ends in a ransom payment or a clean recovery, across backup, identity, endpoints, network, email, and response.

Ransomware readiness is not a feeling. “We have backups” and “we have antivirus” are the two most common things we hear from organizations that are, in practice, entirely unprepared. Backups that have never been restored are a hypothesis, not a recovery capability. Antivirus that hasn’t been replaced by a behavioral EDR is closer to a placebo. The gap between assumption and evidence is exactly where ransomware operators make their money, and it tends to show up at the worst possible moment, when a restore is needed and fails.

This checklist exists to close that gap before an incident, not during one. Every item maps to a real failure mode we’ve observed in incident response or post-incident reviews. Work through each check with a literal pass or fail. If you can’t answer a check because you genuinely don’t know the current state, score it as a fail, because an adversary will find it before you do.

1 – 6: Backup & Recovery

Backup is the floor that every other control rests on. Modern ransomware operators locate and destroy backup infrastructure before triggering encryption, which is why these six checks are the ones that most often determine whether recovery is measured in hours or weeks.

  • Immutable or air-gapped backup copies exist that cannot be deleted or overwritten by a domain admin account. A backup a ransomware-controlled account can reach and delete is not a backup, it is a false sense of security. Veeam immutability on a hardened Linux repository, AWS S3 Object Lock with WORM mode, or Wasabi Object Lock with a separate access key are concrete implementations. A backup target that is joined to your domain or accessible via the same credentials as your production environment is reachable and will encrypt along with everything else.

  • At least one backup copy is offsite or held in a completely separate cloud tenant following the 3-2-1 rule. Three copies, two different media types, one offsite, and the offsite copy must live in an account with credentials that have no relationship to your production domain. A second copy in the same Microsoft 365 tenant or the same AWS account, under the same admin, is not a meaningful separation. It is a single-credential failure point.

  • SaaS data, Microsoft 365, Google Workspace, Salesforce, is explicitly in scope, not assumed to be covered by vendor retention. Microsoft’s shared responsibility model does not include backup of your Exchange Online mailboxes, SharePoint libraries, or Teams data to a standard that meets most organizations’ RTO. Vendor retention policies are not backup. A third-party SaaS backup product (Veeam Backup for Microsoft 365, Backupify, Spanning) with a copy held in a separate tenant or storage account closes this gap. If you are not paying for SaaS backup, you probably do not have it.

  • Restores are tested quarterly against documented RTO and RPO targets, and results are recorded. A backup that has never been restored is a hypothesis. A quarterly restore test should pick at least one critical system or dataset, restore it to an isolated environment, verify integrity, and produce a timestamped log of the result alongside your stated Recovery Time Objective and Recovery Point Objective. If you cannot recover within your stated RTO in a test, you will not recover within it in an incident. The log is what you show during a post-incident review or an insurance claim.

  • Backup administrator credentials are completely separate from domain admin credentials and stored in a dedicated vault. If the same set of Active Directory credentials can administer your domain and your backup console, a single compromised account can encrypt your environment and then delete the backups. Backup portals and cloud vault accounts must run under dedicated credentials with their own MFA, ideally stored in an offline or segregated password manager, not in the same vault accessed by your production admin accounts.

  • Backup jobs are monitored for failure and a human investigates within 24 hours when they fail. Silent backup failures are the most common root cause of “we thought we had backups” discoveries during incident response. Every backup job must send a success or failure notification to a monitored channel, not an unread shared mailbox, with a defined SLA for investigation on failure. A week of failed backup jobs during an attacker’s dwell period eliminates your recovery window entirely.

7 – 11: Identity

Modern ransomware deployments begin with credential theft or phishing and escalate through weak identity controls. If an attacker reaches domain admin or global admin, every technical control downstream becomes a race against the clock. These five checks address the controls that stop that escalation.

  • MFA is enforced, not offered, on every account, including administrators and VPN authentication. A password alone does not stop credential-based attacks. Phishing, credential stuffing, and password spraying bypass it instantly. Enforce MFA via Microsoft 365 Conditional Access policies with no IP-range or per-user exceptions. Admin accounts and VPN authentication warrant phishing-resistant MFA, FIDO2 hardware keys or Microsoft Authenticator number matching, rather than SMS codes that are trivially intercepted or SIM-swapped.

  • Legacy and Basic Authentication protocols are fully disabled for all users, not just new accounts. Basic Auth sends credentials in base64 and cannot enforce Conditional Access policies, which is why it is the attacker’s preferred path around MFA. In Exchange Online, verify that Authentication Policies block basic auth across all protocols, SMTP AUTH, IMAP, POP, and Exchange ActiveSync, for all users. Check Sign-in logs filtered by “Legacy authentication client” to confirm there is no surviving legacy auth traffic before you declare this closed.

  • No shared or generic admin accounts exist, every administrative action is attributable to a named individual. Shared accounts destroy forensic accountability and make credential rotation incomplete. Every administrator must have an individual privileged account used exclusively for admin tasks, not for email or browsing. Service accounts used by applications must be distinct, documented, and have passwords stored in a PAM vault, not in a spreadsheet or a Slack message.

  • Least-privilege access is applied and just-in-time elevation is required for all privileged roles. Permanent Domain Admin or Global Admin assignment for accounts that only occasionally need those rights is a standing target. Azure AD Privileged Identity Management, CyberArk, or BeyondTrust can require a justification and approval step before activating elevated rights, with time-limited sessions and full audit logging. Day-to-day administrative work should run under accounts that are not permanent members of privileged groups.

  • Conditional Access policies enforce device compliance and location controls for all cloud application access. An Entra ID Conditional Access policy that requires a compliant managed device for access to sensitive applications, blocks all legacy auth client types, and flags or blocks authentication from unexpected geographies is a concrete control that stops credential reuse from attacker infrastructure. At minimum: require compliant device for all admin roles; require MFA for every user on every cloud app; block legacy auth clients universally.

12 – 16: Endpoints

Ransomware executes at the endpoint level even when initial access came through email or a web application. What runs on your endpoints, and how quickly behavioral anomalies are detected, determines whether you contain an incident in one machine or respond to a domain-wide encryption event.

  • A managed EDR or MDR solution is deployed across all endpoints and servers, not just legacy signature-based antivirus. Traditional AV does not catch modern ransomware strains that use living-off-the-land techniques: PowerShell, WMI, LSASS access, LOLBins. An EDR platform, CrowdStrike Falcon, SentinelOne, or Microsoft Defender for Endpoint Plan 2, with behavioral detection enabled catches these patterns before encryption begins. MDR means a human analyst reviews and responds to detections, which matters if you do not have internal SOC capacity for after-hours alert triage.

  • Patch cadence is documented, enforced, and evidenced, critical patches applied within 14 days, all others within 30. Unpatched internet-facing systems and unpatched endpoints are among the top ransomware entry vectors alongside phishing. “We patch regularly” is not a control; a patch compliance report from Intune, NinjaRMM, or your RMM platform showing deployment rates and outstanding patch age is. Treat any internet-facing system with outstanding critical patches as an active exposure, not a scheduled task.

  • Microsoft Office macro execution is restricted to signed macros or disabled entirely via Group Policy or Intune. VBA macro-based malware delivery has been a standard technique for decades and remains effective because most organizations never changed the default setting. A GPO or Intune configuration profile that sets macros to “Disable all macros except digitally signed macros”, or disables them entirely, eliminates a broad category of phishing-to-execution paths. For organizations that do not develop internal macro-based tools, disabling macros entirely is the right call.

  • Application allow-listing is enforced on servers, restricting execution to an approved set of signed applications. Application control, Windows Defender Application Control, AppLocker, or a third-party equivalent, means that a ransomware binary dropped by an attacker who has valid credentials and write access to disk still cannot execute. This is one of the most effective ransomware prevention controls available on Windows and among the least deployed. Start with servers if full endpoint coverage is not immediately achievable; servers are the priority target for ransomware operators seeking to maximize damage.

  • Local administrator rights have been removed from standard user accounts, with LAPS managing local admin credentials per machine. A standard user who is also a local administrator can install software, disable endpoint security tools, and run malicious payloads without UAC friction. Removing local admin rights from all standard users is a foundational hardening step. Deploy Microsoft LAPS to manage unique, rotated local administrator passwords per workstation so that compromising one machine’s local admin credential does not provide access to the next.

17 – 20: Network

Once ransomware is executing on one host, network architecture determines how far it spreads. A flat network where any host can reach any other host on any port turns a single compromised endpoint into a ransomware launch platform for the entire organization. These four checks address the containment controls that limit blast radius.

  • Network segmentation is implemented so that a single compromised workstation cannot directly reach servers, backups, or other workstations. Workstations, servers, backup infrastructure, and guest wireless must be in separate VLANs with firewall enforcement between zones. A workstation in the finance department should not have direct TCP access to a production database server or to the backup repository. Document the intended segmentation and verify it with a scan or a tabletop exercise, assumed segmentation that has never been validated is a common gap.

  • RDP (port 3389) is not exposed directly to the internet on any host. Internet-exposed RDP is one of the top three initial access vectors in ransomware incidents and has been for years. Run a Shodan query on your public IP space right now. If port 3389 is visible, that is an active exposure being actively scanned. RDP must be accessible only through a VPN or ZTNA gateway with MFA enforced at the gateway level, not through a firewall hole opened for a specific vendor years ago and never reviewed.

  • Egress filtering restricts outbound connections from servers to known-good destinations and ports. Ransomware uses outbound connections for command-and-control traffic, encryption key retrieval, and data exfiltration (double extortion). A default-allow-all outbound firewall policy on servers is a ransomware enabler. Restrict outbound traffic to specific required destinations and ports per server function. Add DNS filtering, Cisco Umbrella or Cloudflare Gateway, to block known-malicious domains at resolution, before a TCP connection is established.

  • Zero Trust Network Access is in place or actively being implemented to replace flat VPN access. A traditional VPN that places a remote user directly on an internal network segment grants lateral movement potential to anyone who compromises that remote session. ZTNA solutions, Zscaler Private Access, Cloudflare Access, Microsoft Entra Private Access, enforce per-application access policies based on user identity and device posture on every session, so a compromised remote credential can reach only its authorized application rather than the entire internal network.

21 – 23: Email

Email remains the dominant initial access vector in ransomware campaigns. These three controls reduce the probability of a malicious payload reaching a user’s inbox and prevent your domain from being spoofed in campaigns targeting your employees or customers.

  • Advanced phishing and impersonation filtering is enabled beyond the default mail protection tier. Microsoft Defender for Office 365 Plan 1, included in Microsoft 365 Business Premium, provides Safe Links detonation, Safe Attachments sandboxing, and anti-impersonation policies that base Exchange Online Protection does not. These features are available but not enabled by default. Verify that anti-phishing policies protect against user and domain impersonation with executive names and your sending domains specified explicitly, and that high-confidence phishing is quarantined rather than delivered to junk.

  • SPF, DKIM, and DMARC are fully configured, with DMARC set to p=reject. SPF limits which servers may send mail for your domain. DKIM cryptographically signs outbound messages. DMARC ties them together and tells receiving servers what to do when a message fails both checks. Only p=reject actively blocks spoofed messages; p=none is a monitoring posture that enforces nothing. Query your DNS record at _dmarc.yourdomain.com right now, if there is no record or if the policy is none or quarantine, attackers can send email that appears to come from your domain. Moving to p=reject requires validating all legitimate sending sources first; the DMARC aggregate reports (rua) show you what to protect before you enforce.

  • Risky attachment types are sandboxed or blocked before delivery, including macro-enabled Office documents, executables, and ISO files. Executables, macro-enabled Office documents (.xlsm, .docm), ISO files, LNK files, and password-protected archives are the standard ransomware delivery mechanisms. Safe Attachments in Defender for Office 365 detonates attachments in an isolated environment before delivery. Supplement with a mail flow rule that blocks or quarantines the highest-risk extension categories regardless of sandboxing results. Confirm that protection policies apply to all users including executives, who are frequently excluded from aggressive filtering by well-meaning administrators.

24: People & Response

Technical controls fail. When they do, the quality of your response determines the duration and cost of the incident. This final section addresses the human and process layer, the difference between a coordinated recovery and a chaotic one that runs into weeks and ends with a ransom negotiation.

  • A written, tested incident response plan covers ransomware explicitly, a tabletop has been run in the last 12 months, and an out-of-band communications plan exists for when your email and systems are down. A plan that lives in someone’s memory or a Google Doc that hasn’t been reviewed in two years is not a plan. Your IR plan must define the incident commander, containment steps, escalation paths to external forensics, and the decision criteria for ransom consideration. “Tested” requires at least an annual tabletop exercise involving IT, leadership, legal, and communications, not just a read-through. And when ransomware takes down your mail server and internal chat simultaneously, how do your key responders communicate? The answer, a call tree with personal cell numbers, a Signal group, a printed bridge number, must exist before the incident, not be improvised during it.

  • 24/7 monitoring is in place with a human who actively responds to critical alerts, not just an inbox that fills up. An EDR that generates alerts nobody reads is not a detection capability. A ransomware dwell that starts Friday night and goes unacknowledged until Monday morning gives operators 48 hours after detection to complete their work. Whether this is an internal SOC analyst or a co-managed MDR provider, the standard is the same: mean time to respond for critical alerts must be measured in minutes, and that SLA must exist in writing and be tracked. Verify your current coverage schedule and escalation path today.

  • Cyber insurance coverage has been reviewed against your actual controls in the last 12 months, and the policy’s required control attestations match your current posture. Cyber insurers increasingly require specific controls, MFA universally enforced, EDR deployed, immutable backup in place, IR plan documented, as conditions of coverage. A claim denied because controls weren’t in place at the time of the incident is a scenario we have seen firsthand. Review your policy’s coverage triggers, exclusions, and required attestations annually with your broker. If your insurer hasn’t asked specifically about your MFA deployment rate, EDR coverage, and backup immutability, that is a conversation worth initiating, not a sign that those requirements don’t apply.

⚠ Reading your score

24/24: Excellent posture, schedule a rerun in six months and after any significant infrastructure change.

20–23: Strong foundation with specific gaps. Prioritize any Fails in backup, identity, and monitoring first, these carry the highest incident-cost multiplier.

Below 20: You are betting the business. At this posture level, ransomware recovery typically involves weeks of downtime, ransom negotiation, and potential data exposure. The organizations that write ransom checks almost always score below 18 on this list, not because they didn’t take security seriously, but because they assumed they were covered without running the evidence to verify it. The remediation cost is a fraction of the incident cost. Treat every Fail as a ranked remediation item, not a to-do list footnote.

We can help you close these gaps through our managed security and managed IT services, immutable backup architecture including Veeam and SaaS coverage, managed EDR with 24/7 response, Microsoft 365 identity hardening, and incident response planning. Our advisory practice handles policy, tabletop exercises, and insurance alignment. Contact us if you’d like to discuss your ransomware readiness posture.

Get started

Let's talk about your security.

Get in touch More resources