Ransomware Readiness: The Controls That Actually Stop an Attack
Ransomware is a chain, not a lightning strike
The mental model that gets organizations breached is treating ransomware as a single event — a file lands, everything encrypts, and it is over in seconds. Real intrusions are a sequence. Human-operated ransomware typically dwells in an environment for days before the encryptor runs: attackers gain a foothold, escalate, move, stage data, exfiltrate, and only then detonate. The Verizon Data Breach Investigations Report consistently finds that most breaches involve stolen credentials, phishing, or exploited vulnerabilities as the entry point — not zero-day magic.
That sequence is good news. A chain breaks at its weakest link, and every stage is an opportunity to detect and stop the operation before the ransom note appears. The wrong way to plan is to buy one tool and hope. The right way is to map a specific control to each stage of the attack chain and verify that control works under pressure. Here is that map.
Stage 1: Initial access — make identity the first wall
Most ransomware begins with a valid login. Attackers phish credentials, buy them from access brokers, or spray passwords against exposed services like VPN portals and remote desktop gateways.
The control that matters here is identity, not the firewall.
- Phishing-resistant MFA everywhere. Enforce multi-factor authentication on every external-facing service and every administrative login. Prefer FIDO2 hardware keys or platform passkeys over SMS and push, which are defeated by fatigue attacks and SIM swaps.
- Kill legacy authentication. Protocols that cannot enforce MFA (legacy mail clients, basic auth) are the side door attackers walk through. Block them.
- Reduce the attack surface. Retire exposed RDP, put remote access behind identity-aware proxies, and continuously monitor what is reachable from the internet.
Identity hygiene converts the most common entry technique into a dead end. If a stolen password no longer buys a session, the attacker has to work much harder and noisier — which is exactly what the next controls are built to catch.
Stage 2: Privilege escalation — deny the keys to the kingdom
Once inside, an attacker with a standard user account cannot deploy ransomware domain-wide. They need privilege. They harvest cached credentials, abuse misconfigured service accounts, or exploit an unpatched local escalation flaw to reach Domain Admin or the equivalent in cloud identity.
The control is disciplined privileged access management.
- Just-in-time, just-enough admin. No standing domain-admin rights. Elevate on request, for a bounded window, with approval and full session logging.
- Tiered administration. Separate the accounts and workstations used to manage domain controllers from everyday email-and-browser machines so a phished laptop never holds tier-zero credentials.
- Vault and rotate secrets. Service-account passwords and local admin passwords should be vaulted, unique per host, and rotated automatically.
This is the discipline behind privileged access management: shrink the number of accounts that can cause catastrophic damage, and make the ones that remain heavily watched. When escalation gets hard, attackers make mistakes that your detection stack can catch.
Stage 3: Lateral movement — see it and box it in
With elevated rights, the operator spreads. They use remote execution tools, scheduled tasks, and living-off-the-land binaries — legitimate Windows utilities — to blend in while reaching file servers, backup systems, and hypervisors.
Two controls work together here.
- Network segmentation. Flat networks are a gift to ransomware. Segment by sensitivity and function, default-deny between zones, and restrict east-west traffic so a single compromised endpoint cannot reach every server. Backup infrastructure and hypervisor management planes deserve their own isolated segments.
- Endpoint detection and response. Signature antivirus does not catch hands-on-keyboard intrusions. Behavioral EDR does — flagging credential dumping, suspicious remote execution, and anomalous process trees. The catch is that alerts only matter if someone acts on them around the clock. That is why managed detection pairs the tooling with a 24/7 response team.
This is the core of a managed detection and response program: continuous telemetry from endpoints and identity, expert triage, and the authority to isolate a host at 3 a.m. before the operator finishes their sweep. Dwell time is the whole game — every hour you shorten it, you shrink the blast radius.
Stage 4: Exfiltration — the double-extortion tell
Modern ransomware crews steal data before they encrypt it, so they can extort you twice: pay to decrypt, and pay again to stop the leak. Large outbound transfers to cloud storage or unfamiliar hosts are a loud signal — if you are watching for them.
- Egress monitoring and DLP. Alert on unusual volumes and destinations, especially from servers that never normally push data outbound.
- Correlate identity, endpoint, and network signals. A single staging-and- upload pattern lights up across all three. Centralized detection ties them into one incident instead of three ignored alerts.
Exfiltration is often the last window before encryption. Catching it turns a would-be disaster into a contained incident.
Stage 5: Encryption — this is where backups decide your fate
If the operator reaches encryption, prevention has failed and recovery takes over. This is the stage organizations most often get wrong, because the attackers specifically hunt and destroy backups first. Online backups reachable with domain credentials get encrypted or deleted right alongside production.
The controls that actually get you back:
- Immutable, offline backups. At least one copy must be immutable (write-once, cannot be altered or deleted for a retention window) or physically air-gapped. Follow 3-2-1-1: three copies, two media types, one offsite, one immutable or offline. Backup credentials must be isolated from production identity so a domain compromise cannot touch them.
- Tested RPO and RTO. A backup you have never restored is a hope, not a plan. Define your recovery point objective (how much data you can afford to lose) and recovery time objective (how long recovery may take), then prove them with real restore drills — full-system, not single-file. Most teams discover their true RTO is far longer than assumed until they rehearse it.
- Protect the recovery path itself. Keep clean, known-good images and an out-of-band way to authenticate during an incident when your normal identity provider may be untrusted.
This is the substance of managed backup and disaster recovery: immutable copies you cannot accidentally trust away, and restore times you have measured rather than guessed.
The readiness checklist
Use this to pressure-test your own posture. Every "no" is a link in the chain an attacker will happily use.
- Is phishing-resistant MFA enforced on every external and admin login?
- Have you eliminated standing privileged accounts in favor of just-in-time elevation?
- Is your network segmented, with backup and hypervisor planes isolated?
- Does a 24/7 team triage and respond to EDR and identity alerts?
- Do you alert on anomalous outbound data transfers?
- Is at least one backup copy immutable or offline, with isolated credentials?
- Have you completed a full restore drill in the last 90 days and measured actual RPO/RTO?
- Do you have a written, rehearsed incident response plan with defined roles?
When the chain breaks: be ready to respond
No control set is perfect, so readiness includes a plan for the day something gets through. A rehearsed incident response capability — clear roles, communication trees, forensic readiness, and predefined containment authority — is the difference between a contained event and a two-week outage that makes the news.
Ransomware readiness is not a purchase; it is a set of controls layered along the attack chain and verified under stress. If you want an outside team to map these stages to your environment, run the restore drills, and stand watch around the clock, that is what intSignal does every day. Talk to our security team to pressure-test your defenses before an attacker does.