Key takeaways
- Harden along the attack path: exposure, visibility, access, detection, response, recovery, evidence.
- Every item is a verifiable test, not a product feature — run them against whatever you own today.
- The gaps you find are your ransomware exposure, in priority order.
Hardening file infrastructure against ransomware is less about any single feature and more about closing the path from a compromised account to mass file damage. This checklist walks that path in order: what an attacker can reach, whether you would see them, what policy stops, what detection catches, how fast response happens, how recovery works, and what evidence survives. Each item is phrased as a test you can actually run. Where the honest answer is no, you have found a gap worth prioritizing.
1. Exposure: know what an account can reach
Start where the attacker starts: with a credential. Pick a typical user account and enumerate every share and directory it can read and write. Most teams are surprised by the blast radius — years of group-membership drift mean ordinary accounts can commonly traverse far more than their job requires. Then check for the classics: open shares writable by everyone, stale accounts that still resolve, service accounts with broad read access and no expiration, and permissions granted to groups nobody can explain. Ransomware does not need admin rights; it needs exactly the write access your least-audited account already has.
2. Visibility: can you answer who touched what?
For any file on any share, you should be able to answer four questions: who accessed it, when, from which host, and what operation they performed. Test it — pick a file, and time how long it takes to produce its access history for the last 30 days. If the answer involves enabling native auditing first, correlating three log sources, or a request to another team, you do not have visibility; you have archaeology. Detection-grade telemetry is per-operation, carries identity and host context, and is captured somewhere an attacker with admin rights cannot edit.
3. Access: policy evaluated per operation, not per login
Static permissions decide access once, then trust the session forever. Verify what your platform evaluates at the moment of each read and write. Can policy consider who the user is, what device and network they are on, and what they are asking for — and change the answer when context changes? If an account is disabled mid-session, does the open SMB session keep working? Attribute-based access control closes the gap between the moment access should end and the moment it actually does, and it is the difference between one compromised credential reaching one project or reaching everything.
4. Detection: would mass change or bulk reads be flagged?
Now the core test. If an account began rewriting files with high entropy at machine speed — the signature of an encryption run — would anything notice before the ten-thousandth file? And the quieter case: if an account read fifty times its normal daily volume overnight, staging data for exfiltration, would anything flag it? Endpoint tools watch processes, not file shares served to other machines. If detection is not happening at the storage layer, on behavioral patterns rather than malware signatures, the realistic answer to both questions is no.
5. Response: seconds and automatic, or minutes and manual?
Detection without response is a notification service. When the pattern crosses threshold, what happens with no human in the loop? The bar to test against: the offending session is terminated and the account isolated from storage within about a second, and pre-attack snapshots are placed on hold so they cannot age out during the incident. If the workflow is alert, ticket, analyst, action, measure it end to end — at typical encryption rates, every minute of that pipeline is thousands of files.
6. Recovery: immutable, admin-proof, and surgical
Three properties to verify. First, immutability that holds against your own administrators — if a domain admin can delete snapshots, so can an attacker holding those credentials. Second, granularity: can you roll back exactly the files the attack touched, identified from the platform’s own record, rather than restoring an entire share and losing everyone else’s work since the last clean copy? Third, speed: run the drill and time it. Whole-share restores are measured in days; file-level rollback driven by a forensic record is measured in minutes.
7. Evidence: what survives for the investigation
After containment comes the accounting: what exactly was touched, encrypted, or read before the stop? The answer determines the disclosure scope, the insurance claim, and the difference between notifying a hundred people and a million. Verify the audit record is complete, per-operation, and tamper-evident, and that the SOC can reach it — a verdict and file list pushed to the SIEM beats a raw log feed nobody can afford to ingest.
Run all seven areas honestly and you will have something more useful than a maturity score: a short, ordered list of exactly where a ransomware or exfiltration event would beat your file infrastructure today.
Go deeper
