The intrusion comes first. Break the chain before the encryption.
Ransomware is the noisy end of a quiet break-in. By the time the note appears, the attacker has been inside for weeks: getting in, climbing up, spreading out, stealing. Readiness means breaking that chain early, where it’s far easier to stop.
Encryption is the last step, not the first.
Ransomware crews get in, climb up, spread out, and steal. Then they lock. Every link is a chance to break the chain. You don’t have to win all six. You have to win one, in time.
- 01
Initial access
The moveA stolen password, a phishing click, a VPN two versions behind, RDP open to the internet.
◵ Break it hereMFA everywherePatch the edge fastPhishing defence - 02
Execution & foothold
The moveThe payload runs, a shell opens, and persistence is set so a reboot won’t save you.
◵ Break it hereEDR in block modeBlock internet macrosTamper protection - 03
Privilege escalation
The moveA standard user can’t ransom a company, so they hunt a way up to admin or SYSTEM.
◵ Break it hereTiered adminLeast privilegeUnique local admin (LAPS) - 04
Lateral movement
The moveThey hop host to host on harvested credentials, heading for the domain controllers.
◵ Break it hereNetwork segmentationRestrict east-westKill credential reuse - 05
Discovery & exfiltration
The moveThey find the crown jewels and steal them first: the “pay twice” double extortion.
◵ Break it hereEgress & DNS monitoringHuntable logging - 06
Encryption
The moveBackups deleted, tooling disabled, every reachable host locked, at 3am on a Saturday.
◵ Break it hereOffline / immutable backupsBackups off the domainTested restores
The catch on the last link: if a stolen domain-admin account can reach your backups, so can the attacker. Keep one copy offline or immutable, off the production domain, and prove it restores.
Run this against your own estate.
Print it, work through it, be honest. A “no” isn’t a failure. It’s next quarter’s line item. Grouped by stage, roughly in priority order.
- 01Phishing-resistant MFA enforced on email, VPN, remote access and every admin/cloud console.
- 02No shared or generic admin accounts; every privileged action ties to a named person.
- 03Tiered administration in place: directory, server and workstation admin are separated.
- 04Service accounts inventoried, with strong unique passwords and the minimum rights they need.
- 05Dormant and former-employee accounts disabled; access reviewed on a set cadence.
- 06Conditional access blocks logins from impossible locations and unmanaged devices.
- 07A current inventory of everything you expose to the internet. You cannot patch what you don’t know about.
- 08RDP is not open to the internet; remote access goes through a hardened, MFA-protected gateway.
- 09CISA KEV catalog reviewed regularly; listed vulnerabilities on your assets patched on a hard deadline.
- 10Emergency-patch process exists for edge appliances (VPN, firewall, mail, file transfer), measured in days.
- 11External attack surface scanned continuously, not once a year.
- 12EDR deployed on every endpoint and server, in block mode, with no silent gaps in coverage.
- 13Alerts go to someone who can isolate a host out of hours and has authority to act.
- 14Tamper protection on, so the agent cannot be killed by a local administrator.
- 15Macros from the internet blocked by policy; script execution controlled.
- 16Known ransomware behaviours (shadow-copy deletion, mass file rename) alert immediately.
- 17Network segmented so a single workstation cannot reach servers, backups and domain controllers directly.
- 18East-west traffic between user subnets restricted and logged.
- 19Outbound egress filtered; unexpected destinations and protocols are blocked or flagged.
- 20DNS and egress monitored for beaconing and bulk data transfer.
- 21Least privilege enforced on file shares; open “Everyone / Full Control” shares hunted down and closed.
- 22At least one backup copy is offline or immutable and out of reach of domain credentials.
- 23Backup infrastructure does not authenticate against the production domain.
- 24Restores tested on a schedule against real systems, with the result recorded.
- 25Recovery time and recovery point objectives defined, measured, and agreed with the business.
- 26Crown-jewel data identified and known, so you can answer “what did they take?” quickly.
- 27An incident response plan exists in writing, and the key people have read it.
- 28Out-of-band communications ready; assume email and chat are compromised or encrypted.
- 29Retainer or on-call path to incident responders agreed before you need them.
- 30Logs centralised and retained long enough to investigate a slow-burn intrusion.
- 31A tabletop exercise run in the last twelve months, with the lessons actually fixed.
- 32Legal, comms, and leadership know their role before the ransom note, not after.
A checklist on paper is a hypothesis.
Every box above can be ticked and the chain still wide open: the MFA exemption nobody remembered, the backup that hasn’t restored in a year. The only way to know is to walk the real path.
- Red team the real path. Operators start from a realistic foothold and try to reach domain dominance and your backups. If they get there, you found the chain before the criminals did.
- Purple team to fix as you go. Run the attack beside your defenders, technique by technique: watch what’s caught, tune what isn’t, re-test.
- Rehearse the response. A tabletop for technical and leadership: who isolates, who calls legal, how you talk when email’s gone.
Do it on a cadence, not once. Controls drift; validation is what keeps the checklist honest.
The references worth your time.
We send clients to these often. They’re free, current, and written by people who track this threat full-time. Start with the CISA guide and the KEV catalog.
- CISA #StopRansomware Guide →The joint guide and checklist from CISA and the FBI. Practical, current, and free.
- CISA #StopRansomware hub →Alerts, advisories and resources, kept up to date as the threat moves.
- CISA Known Exploited Vulnerabilities →The catalog of flaws under active attack. Treat it as your patch priority list.
- NIST Cybersecurity Framework →The reference structure for identifying, protecting, detecting, responding and recovering.
- NIST IR 8374 →The Ransomware Risk Management Profile. Maps the framework directly to this threat.
- MITRE ATT&CK →The catalogue of real attacker techniques. Map your detections against it and find the gaps.