Ransomware Readiness Checklist for Small and Mid-Sized Businesses
Ransomware is no longer a risk that only large enterprises need to worry about. Small and mid-sized businesses (SMBs) are now the primary target for ransomware operators specifically because they tend to have fewer security controls, less monitoring, and weaker recovery capabilities than enterprise organizations. A single ransomware event can halt operations for weeks, trigger regulatory notification requirements, void cyber insurance claims, and permanently damage client trust.
The difference between a recoverable disruption and a business-ending crisis almost always comes down to ransomware preparedness—the controls, plans, and decisions you put in place before an attack ever begins. This ransomware readiness checklist walks through the ten domains that matter most for small and mid-sized organizations.
How to Use This Checklist
This is not a compliance matrix or a list of products to buy. It is a practical ransomware assessment framework organized by the control domains that ransomware operators specifically probe, exploit, and weaponize during a real attack. For each domain, we describe what readiness actually looks like, what gaps attackers target, and what you should verify.
If your organization can confidently check every box, you are in a strong defensive posture. If you find gaps, those are the areas where a targeted cybersecurity assessment delivers the highest return.
1. Backup Integrity and Recovery Testing
Backups are your last line of defense in a ransomware event. Ransomware operators know this, which is why they actively hunt for backup servers, delete shadow copies, and encrypt network-attached storage before detonating the payload on production systems.
What readiness looks like:
- Backups are stored in an immutable or air-gapped format (write-once-read-many, offline tape, or immutable cloud vaults) that cannot be modified or deleted by an attacker who has compromised your domain administrator credentials.
- Backup jobs are monitored for failure and success daily, with alerts to a distribution list—not a single inbox that could be compromised.
- Full restoration drills are conducted at least quarterly, including restoring critical servers, databases, and application configurations from scratch to a clean environment.
- Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) are documented and understood by both IT leadership and executive leadership. The business knows how long a full restore will actually take.
What attackers exploit: Backups that exist on the same domain, the same network segment, or the same credential store as production systems. If your backup admin account is a domain admin account, ransomware will encrypt your backups alongside everything else.
2. Multi-Factor Authentication (MFA)
Compromised credentials remain the single most common initial access vector in ransomware incidents. Without MFA, a single stolen password—from phishing, credential stuffing, or a dark web dump—gives an attacker direct entry to your environment.
What readiness looks like:
- MFA is enforced on 100% of user accounts, including executives, service accounts with interactive logins, and third-party vendor accounts.
- Phishing-resistant MFA (FIDO2 security keys or authenticator number matching) is deployed for privileged accounts and remote access.
- Legacy authentication protocols (POP3, IMAP, SMTP AUTH) that bypass MFA are blocked at the tenant level.
- Conditional access policies restrict access by device compliance, location, and risk score.
What attackers exploit: MFA fatigue attacks (repeated push notification spam), SMS-based MFA vulnerable to SIM-swapping, and legacy auth protocols that bypass MFA entirely. Also: the one executive account that was exempted from the MFA rollout.
3. Privileged Access Management
Once inside your environment, a ransomware operator’s first objective is privilege escalation. They want Domain Admin credentials so they can push the ransomware payload to every machine in your Active Directory forest simultaneously.
What readiness looks like:
- Standard users do not have local administrator rights on their workstations. This blocks unauthorized software installation and payload execution.
- Administrative access uses dedicated, tiered accounts—one for day-to-day email and web browsing, a separate one for server administration, and another for domain-level changes.
- Privileged accounts are protected by Privileged Access Workstations (PAWs) or at minimum, restricted to specific management subnets.
- Service accounts use managed service accounts (gMSAs) with automatic password rotation rather than static passwords stored in scripts.
- Just-in-time (JIT) access is used wherever possible, so privileged access is time-bound and automatically revoked.
What attackers exploit: A single admin account that is used for both checking email and managing Active Directory. Credential harvesting tools like Mimikatz can extract these credentials from memory in seconds.
4. Endpoint Detection and Response (EDR) / Managed Detection and Response (MDR)
Traditional signature-based antivirus is effectively blind to modern ransomware techniques. Threat actors routinely use legitimate system administration tools—PowerShell, WMI, PsExec, RDP—to move laterally and stage payloads, a technique known as “living off the land.” Detecting this requires behavioral analysis, not signature matching.
What readiness looks like:
- A modern EDR agent is deployed on every endpoint—workstations, servers, and virtual machines—with no coverage gaps.
- EDR telemetry is monitored 24/7/365 by a dedicated Security Operations Center (SOC), either in-house or through a Managed Detection and Response provider.
- The SOC has documented response playbooks for common alert types: credential dumping, lateral movement, suspicious PowerShell execution, and ransomware pre-cursor activity.
- EDR policies include tamper protection so that an attacker with local admin rights cannot uninstall or disable the agent.
What attackers exploit: Endpoints without EDR coverage (development servers, legacy machines, contractor laptops), EDR deployments with no one monitoring the alerts after 5 PM, and agents running in “audit only” mode that detect but do not block.
5. Vulnerability Management and Patching
Unpatched, internet-facing systems are the second most common ransomware entry point after compromised credentials. VPN concentrators, remote desktop gateways, firewall management interfaces, and web-facing applications with known CVEs are scanned continuously by automated threat actor toolkits.
What readiness looks like:
- External vulnerability scans are conducted at least weekly against your public IP space and DNS records.
- Internal vulnerability scans cover all server and workstation subnets on a monthly cycle.
- Critical and high-severity vulnerabilities in internet-facing infrastructure are patched within 48 hours of vendor release.
- A documented emergency patching process allows for out-of-cycle patching when a zero-day or actively exploited vulnerability is disclosed (e.g., CISA Known Exploited Vulnerabilities catalog entries).
- End-of-life systems that can no longer receive patches are isolated on restricted network segments with compensating controls.
What attackers exploit: VPN appliances and remote access gateways running firmware that is six or more months out of date. Attackers weaponize publicly disclosed CVEs within hours of proof-of-concept publication.
6. Network Segmentation and Lateral Movement Controls
Flat networks let ransomware spread from a single compromised workstation to every server in the environment. Segmentation forces attackers to work harder at every step, buying your security team time to detect and respond.
What readiness looks like:
- Critical servers (backup infrastructure, domain controllers, financial systems) are isolated on dedicated VLANs with firewall rules that restrict inbound access to only authorized management hosts.
- East-west traffic (server-to-server, workstation-to-server) is filtered and monitored, not just north-south (internet-to-network) traffic.
- Remote Desktop Protocol (RDP) is not exposed to the public internet. Internal RDP access requires a jump server or VPN with MFA.
- Microsegmentation or host-based firewall rules prevent workstations from communicating with each other directly.
What attackers exploit: Flat networks where a compromised laptop on the guest Wi-Fi can reach the domain controller, the backup server, and the ERP system on the same subnet.
7. Incident Response Planning
A ransomware incident generates technical, legal, financial, and communications decisions simultaneously. Without a written plan and designated decision-makers, organizations lose critical hours debating who to call, whether to pay, and who is authorized to shut down production systems.
What readiness looks like:
- A written incident response plan (IRP) exists that specifically addresses ransomware scenarios, not just a generic “security incident” template.
- The plan includes designated contacts for: IT/security lead, executive decision-maker, legal counsel, cyber insurance broker, and a pre-approved incident response firm.
- The plan documents who has authority to take systems offline, isolate network segments, and communicate externally during an active incident.
- Tabletop exercises are conducted at least annually with both technical staff and executive leadership, simulating a realistic ransomware scenario including ransom negotiation, data exfiltration notification, and business continuity decisions.
- Contact information for all critical parties is stored offline (printed and accessible) since your email and phone systems may be unavailable during an active attack.
What attackers exploit: Organizations with no plan spend 6–12 hours after detection trying to decide what to do, who to call, and whether to shut down systems. That is 6–12 hours of continued data exfiltration and encryption.
8. Cyber Insurance Alignment
Cyber insurance is a financial safety net, but only if your policy actually covers the incident you experience. Many organizations discover gaps in their coverage during the worst possible moment—after the ransom note is on the screen.
What readiness looks like:
- Your cyber insurance application accurately reflects your current security controls, not aspirational ones. Misrepresentations on the application can void coverage.
- You understand your policy’s retroactive date, waiting period, sub-limits, and exclusions for ransomware, business interruption, data restoration, and regulatory fines.
- Your policy includes access to a pre-approved incident response panel, and you know how to activate it. Many policies require you to use panel firms or risk coverage denial.
- You have confirmed with your broker that your policy covers voluntary ransom payments if that decision must be made, and you understand any OFAC sanctions screening requirements.
- You have reviewed and can meet the cyber insurance security requirements that your carrier mandates, such as MFA, EDR, and documented incident response plans.
What attackers exploit: Attackers don’t directly exploit your insurance, but organizations without coverage or with voided policies face the full unmitigated financial impact of downtime, data recovery, legal fees, regulatory penalties, and reputational damage.
9. Email Security and Phishing Resilience
Phishing remains the dominant delivery mechanism for ransomware initial access. Whether it’s a malicious attachment, a credential harvesting link, or a reply-chain hijack, email is the vector that reaches every employee in your organization.
What readiness looks like:
- SPF, DKIM, and DMARC are configured and enforced (p=quarantine or p=reject) for all organizational domains to prevent spoofing.
- An advanced email security gateway or Microsoft Defender for Office 365 is configured to detonate attachments in a sandbox and rewrite/scan URLs at click time.
- Security awareness training is conducted regularly, including simulated phishing campaigns, with metrics tracked for click rates and reporting rates.
- Users have a one-click reporting mechanism (e.g., a “Report Phish” button in their email client) and reports are triaged by the security team or SOC.
What attackers exploit: Organizations without DMARC enforcement, allowing attackers to send emails that appear to come from internal executives or trusted vendors. Also: training programs that exist on paper but haven’t been run in over a year.
10. Executive Decision Framework
Ransomware is not just a technical crisis—it is a business crisis. Decisions about paying ransoms, notifying customers, engaging law enforcement, and communicating with the board cannot be made in the moment by the IT team alone.
What readiness looks like:
- Executive leadership has discussed and pre-documented the organization’s position on ransom payment under various scenarios (data exfiltration, operational shutdown, patient safety, regulatory exposure).
- Legal counsel has been identified and retained (or available on retainer) who specializes in data breach notification, regulatory compliance, and ransomware response.
- Communication templates are prepared for employees, customers, vendors, regulators, and media, so that messaging can be deployed within hours rather than days.
- The Board of Directors or ownership group has been briefed on ransomware risk, the organization’s insurance coverage, and the executive team’s authority to make time-critical decisions during an event.
What attackers exploit: Decision paralysis. When no one has authority to act and the C-suite is debating in a conference room while the encryption is still running, the damage multiplies by the hour.
Scoring Your Readiness
Use the following framework to score your organization’s ransomware preparedness across these ten domains:
| Readiness Level | Description |
|---|---|
| Strong | Controls are implemented, monitored, and tested regularly. Documentation is current. |
| Partial | Controls exist but have gaps in coverage, monitoring, or testing. |
| Weak | Controls are missing, outdated, or have never been tested under realistic conditions. |
If more than two domains score as Weak, your organization is at elevated risk of a ransomware event with extended downtime and significant financial impact. If more than four domains score as Partial, you likely have the foundations in place but need a structured ransomware assessment to identify and close the specific gaps before they are exploited.
From Checklist to Action
A checklist identifies gaps. Closing those gaps requires a prioritized plan, realistic timelines, and in many cases, outside expertise to validate that controls actually work under pressure—not just on paper.
THOR works with small and mid-sized organizations to conduct structured ransomware readiness assessments that go beyond checkbox compliance. We test backup recoverability, validate EDR coverage, review privileged access architectures, and run tabletop exercises with executive teams—giving you a clear, prioritized roadmap to close the gaps that ransomware operators actually exploit.
For organizations that need continuous protection rather than a point-in-time review, our Managed Protection program provides 24/7 monitoring, threat detection, and incident response as a fully managed service.
Ready to find out where your organization stands? Schedule a ransomware readiness assessment with a THOR advisor to review your defenses before attackers test them for you.