Playbook · ransomware

The intrusion comes first. Break the chain before the encryption.

Ransomware is the noisy end of a quiet break-in. By the time the note appears, the attacker has been inside for weeks: getting in, climbing up, spreading out, stealing. Readiness means breaking that chain early, where it’s far easier to stop.

The intrusion before the ransom

Encryption is the last step, not the first.

Ransomware crews get in, climb up, spread out, and steal. Then they lock. Every link is a chance to break the chain. You don’t have to win all six. You have to win one, in time.

The catch on the last link: if a stolen domain-admin account can reach your backups, so can the attacker. Keep one copy offline or immutable, off the production domain, and prove it restores.

The checklist

Run this against your own estate.

Print it, work through it, be honest. A “no” isn’t a failure. It’s next quarter’s line item. Grouped by stage, roughly in priority order.

Identity
  • 01Phishing-resistant MFA enforced on email, VPN, remote access and every admin/cloud console.
  • 02No shared or generic admin accounts; every privileged action ties to a named person.
  • 03Tiered administration in place: directory, server and workstation admin are separated.
  • 04Service accounts inventoried, with strong unique passwords and the minimum rights they need.
  • 05Dormant and former-employee accounts disabled; access reviewed on a set cadence.
  • 06Conditional access blocks logins from impossible locations and unmanaged devices.
Edge & patching
  • 07A current inventory of everything you expose to the internet. You cannot patch what you don’t know about.
  • 08RDP is not open to the internet; remote access goes through a hardened, MFA-protected gateway.
  • 09CISA KEV catalog reviewed regularly; listed vulnerabilities on your assets patched on a hard deadline.
  • 10Emergency-patch process exists for edge appliances (VPN, firewall, mail, file transfer), measured in days.
  • 11External attack surface scanned continuously, not once a year.
Endpoint & detection
  • 12EDR deployed on every endpoint and server, in block mode, with no silent gaps in coverage.
  • 13Alerts go to someone who can isolate a host out of hours and has authority to act.
  • 14Tamper protection on, so the agent cannot be killed by a local administrator.
  • 15Macros from the internet blocked by policy; script execution controlled.
  • 16Known ransomware behaviours (shadow-copy deletion, mass file rename) alert immediately.
Network & access
  • 17Network segmented so a single workstation cannot reach servers, backups and domain controllers directly.
  • 18East-west traffic between user subnets restricted and logged.
  • 19Outbound egress filtered; unexpected destinations and protocols are blocked or flagged.
  • 20DNS and egress monitored for beaconing and bulk data transfer.
  • 21Least privilege enforced on file shares; open “Everyone / Full Control” shares hunted down and closed.
Data & backups
  • 22At least one backup copy is offline or immutable and out of reach of domain credentials.
  • 23Backup infrastructure does not authenticate against the production domain.
  • 24Restores tested on a schedule against real systems, with the result recorded.
  • 25Recovery time and recovery point objectives defined, measured, and agreed with the business.
  • 26Crown-jewel data identified and known, so you can answer “what did they take?” quickly.
Response & recovery
  • 27An incident response plan exists in writing, and the key people have read it.
  • 28Out-of-band communications ready; assume email and chat are compromised or encrypted.
  • 29Retainer or on-call path to incident responders agreed before you need them.
  • 30Logs centralised and retained long enough to investigate a slow-burn intrusion.
  • 31A tabletop exercise run in the last twelve months, with the lessons actually fixed.
  • 32Legal, comms, and leadership know their role before the ransom note, not after.
Don’t assume it. Test it.

A checklist on paper is a hypothesis.

Every box above can be ticked and the chain still wide open: the MFA exemption nobody remembered, the backup that hasn’t restored in a year. The only way to know is to walk the real path.

  • Red team the real path. Operators start from a realistic foothold and try to reach domain dominance and your backups. If they get there, you found the chain before the criminals did.
  • Purple team to fix as you go. Run the attack beside your defenders, technique by technique: watch what’s caught, tune what isn’t, re-test.
  • Rehearse the response. A tabletop for technical and leadership: who isolates, who calls legal, how you talk when email’s gone.

Do it on a cadence, not once. Controls drift; validation is what keeps the checklist honest.

Go deeper

The references worth your time.

We send clients to these often. They’re free, current, and written by people who track this threat full-time. Start with the CISA guide and the KEV catalog.

Talk to an expert