Ransomware readiness checklist for Malaysian businesses
Ransomware readiness means an attack becomes a recoverable incident instead of a business shutdown. The test is ten controls: enforced MFA, full endpoint detection coverage, disciplined patching, backups that ransomware cannot reach and that you have actually restored from, network segmentation, phishing defences, hardened remote access, monitoring that works out of hours, a written response plan and a rehearsed leadership team.
How to use this checklist
Ransomware groups follow a fairly consistent playbook: get in through phishing, stolen credentials or an exposed remote access service, move laterally to reach servers and backups, then encrypt and extort. Each item below blocks or detects a stage of that playbook. Score yourself honestly against what ready looks like, then close the gaps in order of how directly they sit on the attack path.
The ransomware readiness checklist
- 01
Multi-factor authentication on every account that matters
MFA is enforced, not merely available, on email, VPN, remote desktop, cloud admin portals and privileged accounts, with no legacy protocols left open that bypass it.
- 02
Endpoint detection and response on every device
Every server and workstation runs an EDR agent reporting to a console someone actually watches. Unknown devices on the network are treated as findings, not background noise.
- 03
Patching with deadlines, perimeter first
Internet-facing systems, VPN gateways and firewalls are patched on a short, enforced timeline, because these are what ransomware operators scan for. Internal patching follows a documented cycle.
- 04
Backups isolated from the network, restores tested
At least one backup copy is offline or immutable and unreachable with domain admin credentials, since attackers destroy backups before encrypting. You have recently restored real systems and know how long it takes.
- 05
Network segmentation that limits the blast radius
Workstations, servers and operational systems sit in separate zones with firewall rules between them, so one infected laptop cannot reach every server. A flat network turns one phishing click into a company-wide encryption event.
- 06
Email phishing controls in front of the inbox
Inbound filtering blocks malicious attachments and lookalike domains, users can report suspicious mail in one click, and reported messages are reviewed. Phishing remains the most common way in.
- 07
No unnecessary exposure on firewall and VPN
Remote desktop is never published directly to the internet, VPN access requires MFA, and the rule base is reviewed for services exposed by accident. What is not reachable cannot be exploited.
- 08
Monitoring that works at 3am
Alerts from EDR, firewalls and identity systems reach a human at any hour, because ransomware deployment is often timed for weekends and holidays. Alerts sent to an unread mailbox do not count.
- 09
A written incident response plan, kept offline
The plan names who decides to disconnect systems, who calls the insurer, lawyer and regulator, and how staff communicate if email is down. A copy exists on paper, since the file server may be encrypted.
- 10
An executive tabletop exercise within the last year
Leadership has walked through a simulated ransomware scenario, including the ransom payment decision, PDPA notification questions and customer communications. Directors should not debate paying a ransom for the first time during a real incident.
Working the gaps
Most organisations fail three or four items, typically backup isolation, restore testing, segmentation and out-of-hours monitoring. Fix exposure and identity first, then containment and recovery, then detection and rehearsal.
Datasafe Online runs ransomware readiness reviews against this kind of checklist and backs them with a 24/7 SOC for the monitoring item most companies cannot staff internally. Contact sales@datasafe.com.my or 03-2242 3191 to benchmark your current position.
Ransomware activity in the region has touched Malaysian manufacturers, plantation groups, retailers and financial services firms alike, and any incident involving personal data adds PDPA considerations on top of the operational damage. Bank Negara Malaysia's RMiT expectations push financial institutions further on recovery and testing. For most local businesses the decisive gaps are unglamorous: nobody has restored from backup under pressure, and nobody watches alerts on a public holiday.
Common questions
Should a Malaysian company ever pay the ransom?
Payment is a last resort with no guarantees: decryptors are often slow or partial, stolen data may still be leaked, and paying marks you as a payer. The decision involves legal counsel, insurers and leadership, which is exactly why it belongs in a tabletop exercise before you face it for real.
How often should we test backup restores?
Often enough that the result is current and the process is familiar: restore a meaningful system in full on a recurring schedule, and again after any backup platform change. A backup that has never been restored is a hope, not a control.
Does cyber insurance remove the need for this checklist?
No, it increasingly depends on it. Insurers commonly require MFA, EDR and isolated backups before issuing or renewing cover, and weak controls can complicate claims. Insurance transfers some financial impact; it does not restore your systems or your data.
We are a small business. Are we really a target?
Yes, because most ransomware targeting is opportunistic: automated scanning finds the exposed VPN or weak credential regardless of company size. Smaller firms are often hit harder because recovery resources are thinner. The checklist scales down, and the early items cost more discipline than money.
Does EDR guarantee ransomware will be stopped?
No single control does. EDR raises the chance of catching an intrusion before encryption begins, but only if it is deployed everywhere, configured well and actually monitored. That is why the checklist pairs it with isolated backups, segmentation and a response plan as separate items.
Talk it through with an operator.
A 30-minute Cyber Risk Review maps this topic against your environment, with an analyst from Datasafe's Kuala Lumpur SOC. No slideware, no obligation.