Understanding the Modern Ransomware Threat
Modern ransomware attacks follow a pattern quite different from the opportunistic encryption-and-demand model of a decade ago. Today's sophisticated attacks typically begin with an initial access event — often through phishing, exploitation of unpatched vulnerabilities, or compromise of remote access credentials — followed by a period of dwell time during which the attacker explores the network, elevates privileges, and identifies the most valuable data and systems. Only after this reconnaissance phase does the attacker deploy ransomware, maximising impact by encrypting the systems and data that will cause the most operational disruption.
Many attacks also involve data exfiltration before encryption — allowing attackers to threaten public disclosure of sensitive data as additional leverage, independent of whether the organisation can restore from backups. This double extortion model means that effective backup and recovery capability, while critically important, is no longer sufficient on its own as a ransomware defence.
Email Security and Phishing Prevention
Email remains the primary initial access vector for ransomware. Audit procedures should assess whether anti-phishing controls are implemented and effectively configured: email filtering for malicious content, sender authentication protocols (SPF, DKIM, DMARC), malicious link scanning and sandboxing of attachments, and user awareness training effectiveness measured through phishing simulation results.
The audit should not merely confirm that these controls exist — it should assess their effectiveness. An email security product that is deployed but configured with default settings, or a phishing simulation programme that reports high click rates without triggering remedial training, provides limited actual protection regardless of its nominal presence.
Vulnerability Management and Patch Currency
Unpatched vulnerabilities in internet-facing systems are the second major initial access vector. Audit procedures should assess whether the organisation maintains a complete and current inventory of internet-facing systems, whether a risk-based patching process is in place with defined response timelines for different vulnerability severities, and whether patching compliance is being measured and reported. Critical vulnerabilities affecting internet-facing systems warrant the shortest patching timelines — days, not the months that typical quarterly patching cycles produce.
Backup Integrity and Recovery Capability
Backup controls for ransomware preparedness require specific design characteristics that generic backup assessments may not examine. Backups must include offline or immutable copies that ransomware cannot encrypt — backup systems connected to the same network as production systems may be destroyed in the same attack. Recovery processes must be tested regularly with realistic recovery time objectives validated through actual restoration testing, not just theoretical documentation.
The audit should examine backup architecture for isolation adequacy, test results for recovery time validation, and whether the recovery time objectives are aligned with the business continuity requirements of each critical system. An organisation that believes it can recover in 24 hours based on documentation but has not tested this assumption against actual restoration exercises has significant unquantified recovery risk.
Incident Response Readiness
When a ransomware attack occurs, the speed and quality of the response determines whether a significant but manageable incident becomes a catastrophic operational failure. Audit procedures should assess whether a tested incident response plan exists that specifically addresses ransomware scenarios, whether the organisation has pre-established relationships with external incident response providers, and whether leadership has participated in tabletop exercises that simulate the decision-making required during a ransomware event — including the decision of whether to pay a ransom.
Ransomware preparedness is not a single control — it is a layered defence requiring coordination across technical controls, process controls, and human capability. The organisation that has strong email security but inadequate backup isolation, or excellent backups but no tested incident response plan, has gaps in its defence that a sophisticated attacker will find.
Reporting Ransomware Risk to the Board
Audit findings on ransomware preparedness should be presented to the board in terms of the organisation's ability to prevent, detect, contain, and recover from an attack — with explicit discussion of the estimated business impact of a significant event and the residual risk profile given current control effectiveness. Governance bodies that understand their ransomware exposure in business terms are equipped to make informed decisions about the investment required to improve it.