Ransomware Preparedness: Beyond Backups

• Phishing and credential theft: leads to mailbox compromise, then lateral movement.
• Remote access abuse: exposed RDP/VPN accounts with weak or stolen credentials.
• Unpatched vulnerabilities: attackers exploit known weaknesses to gain initial access.
• Vendor and supply-chain paths: compromised third parties or integrations.

The most reliable approach is closing the common doors: identity hardening, patching standards, and detection that catches early-stage behavior.

• EDR + response workflow: see EDR guide.
• Central logging and alerting: see SIEM guide.
• Patching discipline: see Patch management standards.
• Identity baseline: start with Multi-Factor Authentication (MFA) and reduce admin sprawl with Role-Based Access Control (RBAC).
• Email/domain protections: reduce spoofing and some phishing patterns with email authentication.

Backups fail during incidents for predictable reasons: they were never tested, the credentials were compromised, or the restore path was never documented. Treat backups like a product you operate.

• Restore testing: schedule it and write down the steps. See Backup & DR Testing.
• Access control: backup admin accounts should be tightly limited and monitored.
• Multiple copies: include a protected/offline copy (where feasible) to reduce the chance ransomware can reach it.

• Roles: who can isolate systems, who contacts insurers, who talks to customers.
• Escalation: after-hours contacts and vendor phone numbers that work.
• Decision framework: what gets restored first, what “acceptable downtime” looks like, and when leadership is pulled in.

The fastest way to validate this is an incident response tabletop exercise.

Related services: Managed Security (MSSP) and Managed IT (MSP).