Skip to content
CyberWolfe
Playbook·4 min read

Ransomware readiness in 10 questions

Ten questions that separate organizations that recover from ransomware in days from the ones that take months. Answer them honestly before you have to.

By CyberWolfe Security Team

Ransomware readiness is not really about ransomware. It is about whether your fundamentals hold up on the worst day. Almost everything that determines how a ransomware event plays out is decided long before the encryption starts, in the boring decisions about backups, access, and who picks up the phone.

We use a version of the questions below when we assess a client's readiness. None of them are exotic. The value is in answering them honestly, out loud, with the people who would actually be involved. If you find yourself saying "I think so" or "probably," treat that as a no, because on the day it counts, "I think so" is the same as no.

  1. If your primary systems were encrypted right now, when did you last restore from backup and confirm it worked? Not when was the last backup taken. When did you last actually restore from one and watch it come back. Backups that have never been tested fail at the worst possible moment, and a backup you cannot restore is a folder of useless files.

  2. Can an attacker who reaches a domain admin account also reach your backups? This is the question that decides most ransomware outcomes. Modern ransomware crews go for the backups first, precisely because they know that is your recovery plan. If your backups live on the same domain, with the same credentials, reachable from the same network, they are not backups. They are more targets. You want at least one copy that is offline or immutable and out of reach of the account that runs everything else.

  3. Is multi-factor authentication on every external entry point, with no exceptions? Email, VPN, remote desktop, every admin console. The gaps are where attackers walk in. "MFA everywhere except this one legacy service the CFO uses" is the exact door that gets used. Phishing-resistant methods are better than codes, but anything beats a password alone.

  4. Do you know what normal looks like well enough to spot abnormal? Ransomware is loud right at the end and quiet for days or weeks before. The lateral movement, the privilege escalation, the data staging all happen in a window where good detection catches it. If nobody is watching endpoint and identity telemetry, the first sign you get is the ransom note.

  5. Who do you call, and is it written down where you can reach it without your systems? The list of contacts including your IR partner, your insurer, and legal counsel needs to exist on paper or on a phone, not on the file server that just got encrypted. We have watched teams lose an hour just finding the right phone numbers.

  6. Does your cyber insurance policy actually cover this, and have you read the conditions? Many policies require specific controls and approved vendors. Some exclude scenarios you would assume are covered. The time to learn the fine print is now, not while filing a claim. If you have a policy, get someone to walk you through what it requires of you.

  7. How long can the business actually run with key systems down? Put a number on it, by system. Knowing that order processing can survive two days but payroll cannot miss its date changes every recovery decision. Without those numbers, you will prioritize in a panic, which means you will prioritize badly.

  8. Have your people seen a realistic phishing attempt and known what to do? The initial access is usually a person clicking something. Awareness training that changes behavior, measured by more than a completion rate, is one of the cheapest risk reductions available. The goal is not zero clicks. It is people who report fast when they do click.

  9. Have the decision-makers ever practiced the decisions? The choice to pay or not, who talks to the press, when to tell customers, whether to involve law enforcement. These are executive decisions, and the first time leadership confronts them should not be live. A two-hour tabletop exercise surfaces every disagreement and gap while the stakes are zero.

  10. If you paid a ransom, do you actually know it would help? Decryptors provided by attackers are often slow, buggy, or incomplete, and paying funds the next attack and may carry legal risk depending on who is behind it. Paying is sometimes the least-bad option, but only as a deliberate decision with full information. If your honest answer to "would paying even fix this" is "I assume so," you are not ready to make that call well.

If you answered all ten cleanly, you are in better shape than most organizations we assess. If a few made you uncomfortable, that discomfort is the useful part. Pick the two that worried you most and fix those this quarter. Readiness is not a project you finish. It is a set of fundamentals you keep honest, and the questions above are how you keep checking.

Related service

Incident Response

More from the team

Microsoft 3654 min

A defensible Conditional Access baseline

The Conditional Access policies we deploy on a Microsoft 365 tenant before anything else, and the reasoning behind each one.

Incident Response4 min

What to do in the first hour of an incident

The decisions you make in the first sixty minutes shape what recovery costs and how long it takes. A practical guide for the people who get the call.

Offensive4 min

Penetration testing vs. vulnerability scanning

They get sold as the same thing. They are not. Here is how to tell which one you actually need, and how to avoid paying for the wrong one.

Put this into practice

Want a second opinion on your security posture?

A 30-minute call with a senior practitioner is usually enough to tell you where to focus first.

Book a ConsultationView Services