Ransomware Readiness
Checklist

Know what you have and have a plan before anything happens.

• Maintain a live asset inventory. You can't protect endpoints you don't know exist — including shadow IT and OT.
• Identify your crown jewels. Map the systems and data whose loss would actually stop the business.
• Have a written incident-response plan with roles, contacts, and a decision tree — and print it (you may have no network during an incident).
• Keep 3-2-1 backups (3 copies, 2 media, 1 offline/immutable). Test a restore quarterly — untested backups are wishes.
• Pre-arrange legal, IR retainer and cyber-insurance contacts. Mid-incident is the wrong time to negotiate.
• Run a tabletop exercise at least annually so the team has muscle memory.

Close the doors attackers walk through.

• Enforce phishing-resistant MFA everywhere — especially email, VPN, and admin accounts.
• Eliminate exposed RDP/SMB. No remote-access ports open to the internet; gate everything behind VPN or zero-trust.
• Patch internet-facing systems fast. Prioritize what's actually running and reachable, and anything on CISA's KEV list.
• Apply least privilege. Remove local-admin rights; separate daily-use accounts from privileged ones.
• Harden the endpoint. Enable attack-surface-reduction rules, controlled folder access, and block macros from the internet.
• Segment the network. Flat networks let one foothold become fleet-wide encryption.
• Inventory non-human identities. Service accounts, API keys and tokens are prime lateral-movement fuel.

See the attack while it's still days from encryption.

• Deploy behavioral EDR/XDR on every endpoint — detect living-off-the-land tooling, not just known malware.
• Watch for the precursors: credential dumping, suspicious PowerShell, new admin accounts, mass file access, and backup deletion.
• Plant ransomware canaries. Decoy files that trip an alert the instant something starts encrypting.
• Centralize and search your logs (SIEM) so cross-host patterns surface as one incident.
• Alert on impossible/abnormal logins and privilege escalation in real time.
• Make sure detection survives outages — agents should keep recording offline and reconcile on reconnect.

When the alarm fires, speed and isolation win.

• Isolate affected hosts immediately at the network level — contain before you investigate.
• Kill malicious processes and disable compromised accounts across the fleet, not one machine at a time.
• Preserve evidence (memory, logs, samples) before wiping — you'll need it for scope and recovery.
• Don't pay reflexively. Payment doesn't guarantee recovery and may carry legal/sanctions risk — involve counsel.
• Communicate on out-of-band channels. Assume email/chat may be monitored by the attacker.
• Automate the first moves. A SOAR playbook that isolates-on-canary buys you the minutes that matter.

Restore safely — and don't re-infect yourself.

• Rebuild from known-clean images and restore data from verified-clean backups — not from the compromised environment.
• Find and close the entry point before reconnecting, or you'll be hit again within days.
• Rotate all credentials and secrets, including service accounts and API keys.
• Meet your disclosure obligations (PIPEDA/PHIPA, regulators, affected parties) on the required timeline.
• Run a blameless post-incident review and fold the lessons back into Phases 1–2.