Every business likes to believe it would handle a ransomware attack calmly and decisively. In practice, the calm decisions are the ones made in advance, on a normal Tuesday afternoon with no pressure attached, not during the three in the morning phone call when every file on the server has just been encrypted. By that point the questions have become far more expensive to answer, and the room for careful thinking has essentially vanished.
The questions that only get asked mid-crisis
When ransomware actually hits, a business needs answers to a specific set of questions almost immediately: which backups are clean and how far back do they go, whether the backups themselves were reachable from the compromised network, who has the authority to take systems offline, and who actually needs to be informed in the first hour. Businesses that have never rehearsed these questions tend to lose the most valuable early hours simply figuring out who is meant to be making each decision, hours that a prepared organisation would have spent containing the spread.
A structured review, often built around vulnerability scan services, helps surface exactly where a real attack would exploit those unanswered questions, testing not just whether ransomware could get in, but what it could actually reach and encrypt once it did, and whether your backup strategy would survive contact with a determined attacker rather than just a hardware failure.

Backups fail for reasons nobody tests for
A backup that has never been tested for restoration is a hope, not a plan. Plenty of businesses discover during an actual incident that their backups were stored on the same network segment as production, meaning the ransomware encrypted the backups right alongside the original files. Others find that backups were technically running but had silently failed months earlier, with nobody checking the logs closely enough to notice before the moment they needed them most, which is invariably the worst possible time to find out, and by then there is no earlier point to go back to.
William Fieldhouse has seen this particular failure mode often enough that it has become one of his standard early questions.
“The question I ask every client is simple: when did you last actually restore from your backup, not just check that the job completed. Most cannot answer it. One client discovered during a live incident that their backup server shared credentials with the domain controller, so the ransomware walked straight across and encrypted three months of history in the same afternoon it hit production.”
— William Fieldhouse, Director of Aardwolf Security Ltd
That single shared credential turned what should have been a recoverable incident into a genuinely catastrophic one, and it is exactly the kind of structural weakness that only surfaces when someone actually tests the isolation between production and backup systems rather than simply trusting that a backup job running successfully means recovery will work when it actually matters.
Answer the hard questions while things are calm
Work through backup isolation, restoration testing, decision-making authority and communication plans before an incident forces the issue. Combine that planning with internal network pen testing to identify how ransomware would actually move through your specific network rather than a generic one. Contact Aardwolf Security to pressure-test your ransomware readiness while you still have the luxury of time to fix what it finds.
