Why ransomware remains the top cyber threat in 2025
Ransomware attacks keep getting smarter and more damaging. In this ransomware readiness checklist 2025 edition, you get a clear step-by-step plan to stay ahead of today’s attackers. We’ll walk through five core steps to lock down your defenses, detect threats fast, and recover without drama.
There’s a reason ransomware tops your threat list. Affiliates and initial access brokers drive targeted intrusions that bleed your operations dry.
How affiliates and initial access brokers accelerate targeted intrusions
Ever wonder why breaches seem to happen overnight? Affiliates partner with ransomware-as-a-service operators to deliver payloads on high-value targets. Initial access brokers (IABs) scout weak credentials or exploitable services, then sell that access to affiliates. That split of labor speeds up attacks and shrinks the time you have to detect them.
To dive deeper into evolving threat models, check out ransomware trends in 2025 attacker tactics and defensive countermeasures.
Step 1: Map and monitor your attack surface
Let’s lay the groundwork first. If you don’t know what’s out there, you can’t protect it.
Attacker POV - Internet scanning via Shodan and Censys (T1190)
Attackers start with internet scanning tools to discover exposed endpoints. Shodan and Censys index devices, web apps, and services that let criminals pinpoint your gateways.
Tools - Nmap, Nessus, BloodHound for AD graphing
Here’s a quick list of tools that mirror attacker scans
- Nmap for host discovery and port scanning
- Nessus for vulnerability assessment
- BloodHound for mapping Active Directory relationships
Defender actions - Set weekly ASM scans, harden RDP and VPN, enforce MFA and geo blocking
Schedule attack surface management (ASM) scans every week to catch new exposures. Harden Remote Desktop Protocol (RDP) and VPN endpoints by limiting access, enforcing MFA (multi factor authentication), and blocking traffic from high-risk locations. Review scan results and patch or remove exposed services.
- Define scan scope in Shodan, Censys, or an ASM platform
- Review and triage findings within 72 hours
- Enforce MFA and geo restrictions on all remote access points
Pair this with ongoing detection by reading continuous ransomware monitoring why MDR beats legacy defenses.
Step 2: Harden backups and recovery
Backups are your safety net in a ransomware crisis. Here’s the thing: attackers know this and try to tamper with snapshots or Volume Shadow Copy Service (VSS) before they encrypt.
Attacker POV - Snapshot and VSS tampering before encryption (T1490)
Criminals run vssadmin commands and custom PowerShell scripts to delete or corrupt your shadow copies. That leaves you with no clean fallback and forces you to negotiate.
Tools - vssadmin, adfind, custom PS wipe scripts
- vssadmin for deleting shadow copies
- adfind for hunting backup-related services in Active Directory
- Custom PowerShell scripts to wipe snapshots
Defender actions - Implement immutable backups, use S3 Object Lock, run quarterly restore drills, set RTO targets
- Store backups in an immutable format using Rubrik or Cohesity
- Enable S3 Object Lock on cloud storage to prevent deletion
- Conduct quarterly restore drills to verify recovery processes
- Define recovery time objectives (RTO) and meet them in tests
If you host backups in the cloud, check out protecting cloud workloads from ransomware real tools and configs that work.
Step 3: Lock down identity and access
Identity is the new perimeter. Let’s be honest: stolen credentials are gold for attackers.
Attacker POV - MFA fatigue, Kerberoasting, NTLM relay (T1110, T1558)
Attackers bombard users with MFA fatigue (push bombing) to trick them into approving fake requests. They also steal service tickets through Kerberoasting and hijack NTLM sessions to escalate privileges.
Tools - Mimikatz, Rubeus, Responder
- Mimikatz for credential theft and ticket extraction
- Rubeus for requesting and harvesting Kerberos tickets
- Responder for NTLM relay and credential capture
Defender actions - Enforce JIT admin roles, apply conditional access, deploy Defender for Identity, tier high value assets
- Implement just-in-time (JIT) admin privileges to reduce standing permissions
- Configure conditional access policies based on risk signals
- Deploy Microsoft Defender for Identity to detect credential theft behaviors
- Classify and tier high value assets for targeted protection
Locking down credentials also helps you meet the requirements in ransomware and regulatory compliance why agencies and contractors must prepare.
Step 4: Detect pre-encryption behaviors
Ransomware is more than data encryption. Here’s the thing: it often takes a quiet detour to exfiltrate data before the final blow.
Exfil and staging - rclone, 7zip, PsExec, LOLBins (T1041, T1021)
Attackers use tools like rclone and 7zip to package and upload data to cloud storage. They abuse PsExec and living-off-the-land binaries (LOLBins) to move laterally.
Hunting - Sentinel KQL, Sigma, YARA, outbound to cloud storage controls
- Write KQL queries in Microsoft Sentinel to flag large outbound transfers
- Use Sigma and YARA rules to detect known exfil patterns
- Monitor uncommon cloud storage endpoints for unauthorized uploads
Unchecked exfil adds to the hidden costs of ransomware beyond the ransom note.
Step 5: Train and test with realism
Even the best defenses need practice. Let’s face it: drills can feel like busywork, but they reveal gaps and boost your team’s confidence.
Purple team exercises - Atomic Red Team and Caldera metrics MTTD, MTTR, dwell time
Purple teams combine red and blue skills to simulate attacks using frameworks like Atomic Red Team or Caldera. Track key metrics such as mean time to detect (MTTD), mean time to recover (MTTR), and attacker dwell time.
Follow our step-by-step approach in running a ransomware attack simulation guide for red and blue teams.
Ransomware readiness checklist
Weekly ASM scans
Keep an up-to-date attack surface map with weekly scans to spot new exposures.
Immutable backups tested
Verify backup integrity and recovery steps by testing immutable snapshots quarterly.
JIT MFA enforced
Reduce risk by granting admin roles only when needed and enforcing MFA for all privileged users.
ATT&CK mapped detections
Map each detection to MITRE ATT&CK tactics to ensure you cover every stage of a ransomware kill chain.
Quarterly purple team drills
Run purple team exercises every quarter to measure and improve your team’s detection and response metrics.
Conclusion
Preparation prevents million-dollar downtime
A solid ransomware readiness checklist helps you avoid crippling downtime. It often costs more to recover than to implement these steps upfront.
Quzara Cybertorch MDR 24x7 ransomware TTP detection automated containment and guided recovery
Quzara Cybertorch MDR gives 24x7 monitoring and TTP detection (tactics, techniques, and procedures). It also handles automated containment and guided recovery to cut impact. Pair this approach with your incident response playbook.