Ransomware can stop an SMB in hours, locking files, halting sales, and freezing operations. This 2025 checklist gives you a clear order of actions: block common entry points, harden logins, protect endpoints, and set up backups that attackers can’t delete. It also includes a simple first-15-minutes response plan so you can contain damage fast. Save or print it and keep a copy offline for emergencies.
Why This Checklist Matters In 2025
“Encrypt + Steal + Extort” Is Common
Many groups steal data before encryption and then threaten leaks from servers and cloud storage. So “we can restore” is not enough by itself.
SMBs Are Often In The Blast Zone
Verizon’s 2025 DBIR SMB view shows ransomware in 88% of SMB breaches in its SMB view.
Vulnerabilities Still Fuel Ransomware
Sophos reports exploited vulnerabilities as a leading root cause in recent ransomware cases.
The 60-Second Self-Assessment
Score 1 for each “yes.” 0–3 risky, 4–7 improving, 8–10 resilient. MFA is on for email, admins, and remote access.
- Legacy authentication is blocked where possible.
- Admins have separate admin accounts.
- Critical patches land within 72 hours.
- Exposed RDP is removed or tightly restricted.
- Servers and endpoints have modern protection and tamper controls.
- Backups are immutable or offline, with separate admin access.
- You test restores monthly.
- Key sign-in and endpoint alerts are reviewed daily.
Incident contacts and decision owners are documented.
Checklist Part 1: Stop The Initial Break-In
Email And Phishing Controls
Do these three email basics:
- Filter links and attachments, and block risky file types.
- Add a “report phish” button and respond to reports.
Publish SPF, DKIM, and DMARC to reduce spoofing.
Patch Management With A Clear SLA
Treat patching like a clock. Exploited vulnerabilities remain a major driver. Use an SLA:
- Critical: 48–72 hours.
- High: 7–14 days.
Patch internet-facing systems first, like VPNs and firewalls.
Remote Access Hardening
Remove exposed RDP. Require MFA and restrict admin tools.
If you use VPN, limit what users can reach after they connect.
Checklist Part 2: Identity Hardening (Fastest ROI)
MFA First, Then Stronger Rules
Email is the reset path for most systems. Secure it first.
Enforce MFA everywhere, then tighten rules for admins and finance apps.
Least Privilege And Offboarding
Limit lateral movement after one account falls.
Minimum actions:
- Remove unnecessary admin rights.
- Offboard same day: accounts, sessions, tokens, and shared access.
- Review access quarterly.
(NIST stresses recovery priorities and contact lists as resilience basics.)
Checklist Part 3: Endpoint And Server Controls
Baseline Device Hygiene
- Auto-update OS and browsers.
- Encrypt disks and require screen locks.
- Remove risky software and reduce macros.
These align with ransomware prevention guidance.
Detect And Contain
Alert on mass encryption behavior and credential dumping signals.
Checklist Part 4: Backups That Survive Ransomware
3-2-1 Plus Immutability
Restore Drills That Prove Reality
Restoration is proof. “Backup succeeded” is not.
Test monthly:
- Restore one critical file.
- Restore one system into an isolated network.
Secure Backup Admin
Use separate backup admin accounts and MFA. Avoid shared credentials.
Attackers target backup consoles to block recovery.
Checklist Part 5: Limit Blast Radius In Network And SaaS
Simple Segmentation
Separate servers, users, and backups where you can. Start with one critical area.
SaaS “Crown Jewels” Controls
SaaS admin panels and file stores are high-value targets.
Quick wins:
- Restrict OAuth app consent and review integrations quarterly.
- Tighten external sharing for file storage.
- Require stronger sign-in for finance and HR apps.
Checklist Part 6: What To Do In The First 15 Minutes
First 15 Minutes
Follow this order. Do not wipe systems first.
- Isolate affected devices from the network.
- Disable suspected compromised accounts.
- Preserve evidence and logs.
- Stop the spread where you can.
Notify the incident lead and decision owner.
First 24 Hours
Confirm scope, including data theft risk. Prepare clear communications.
Report to law enforcement using official channels like IC3.
Checklist Part 7: Recovery And The One-Week Fix
Clean Rebuild Principles
Assume credentials were exposed. Rotate passwords, keys, and tokens.
Restore from known-good backups and rejoin systems in stages.
One-Week Hardening Sprint
- Patch the entry weakness.
- Remove exposed remote access.
- Enforce MFA on all admin paths.
- Reduce admins and shared accounts.
These actions align with federal guidance.
Role-Based Mini Checklists
Business Owner
- Fund backups, patching, and monitoring.
- Define “restore first” systems and timelines.
- Keep offline incident contacts.
IT And Admin
- Enforce MFA and block legacy auth.
- Patch edge systems first, on the SLA.
- Implement immutable backups and restore drills.
Finance And HR
- Require MFA for payroll and finance tools.
- Add payment verification for vendor changes.
Run This Checklist Monthly
Ransomware defense is a routine. Start with identity, patching, and survivable backups. Then reduce the blast radius and rehearse the response. Use your 60-second score, fix the weakest items, and repeat.
FAQs
What is the #1 Ransomware protection step?
How do I know backups are Ransomware-safe?
Separate backup admin accounts, use MFA, and restore into an isolated network.
Should we pay the ransom?
What is a useful “Impact Benchmark” for planning?
IBM’s 2025 report estimates a $4.44M global average breach cost. Use it for planning, not panic.
