Ransomware Restore Readiness Checklist

A practical restore test plan: 15-minute minimum test + deeper restore rehearsal.

What this gives you

A minimum viable restore test you can run weekly/monthly.
A quarterly restore rehearsal template that produces evidence and confidence.
A simple “if ransomware happens” first-hour checklist.

1) Minimum viable restore test (15 minutes)

Do this monthly. The goal is to prove you can restore something useful quickly.

Restore one business-critical file to a safe location.
Restore one email (or mailbox item) if you have SaaS backup, or export a sample mailbox item if not.
Open the restored file and confirm it’s correct.
Record the time taken + any issues.

2) Restore rehearsal (quarterly)

Pick one scenario:

Server/VM failure
Accidental deletion of shared folder
Ransomware on a workstation spreading to file shares

Steps:

Identify top 3 systems: e.g., file share, email, line-of-business app.
Define target RTO/RPO (even rough): RTO ____ / RPO ____.
Restore into a test location (or isolated VLAN/VM) and validate access.
Capture screenshots + notes as evidence.
Update the runbook with any improvements.

3) First-hour checklist (suspected ransomware)

Task	Status	Notes
Isolate affected device(s) from network (Wi‑Fi off / unplug Ethernet)	☐
Do not power off servers unless instructed (preserve evidence)	☐
Check for signs of spread (file shares, multiple PCs)	☐
Pause scheduled jobs that might overwrite backups	☐
Confirm backup integrity / immutability	☐
Notify key stakeholders (management + finance + privacy lead)	☐

4) Restore log (evidence template)

Field	Value
Date	__________
Scenario	__________
System / dataset restored	__________
Restore method	Backup software / Snapshot / Cloud versioning / Other
Time to restore	__________
Validation result	Pass / Fail
Issues found	__________
Follow-up actions	__________

5) What “good” looks like (plain English)

You can restore a critical file in minutes, not hours.
You know who does what during an incident.
You have at least one backup copy that ransomware cannot change (immutable/offline).
You have tested restores recently and recorded the result.

Note: This document is general operational guidance and does not replace legal advice. It helps you establish a practical baseline and reduce common privacy risks.

👉 Free 30-minute consultation

No hard sell - just clarity and practical next steps.

hello@virtusgroup.biz
virtusgroup.co.nz
0800 847 887 (VIRTUS)

Book now