2026 Ransomware Readiness Workbook

The thing you prepare so you have something to open at 2am when the Slack messages start. This is operational crisis preparedness — not a checklist, not a policy template, not a tabletop guide. The workbook you run before, during, and after a ransomware incident.

The 2026 ransomware environment is structurally different from 2023: 78% of companies hit in the past year (CrowdStrike); 82% of attacks are now malware-free — identity abuse, not novel payloads; 76% involve data exfiltration (backups alone no longer save you); 11 hours from initial access to 9 endpoints compromised (Black Basta playbook); 80% of attacks now use AI (MIT 2,800-incident study); cartel consolidation — LockBit+Qilin+DragonForce under one umbrella. A readiness program built on 2023 assumptions has blind spots in all five of those shifts.

18-tab architecture organized into five functional groups:

Readiness Assessment — the 80-control core tab structured on the NIST IR lifecycle (Identify 15 / Protect 25 / Detect 10 / Respond 15 / Recover 15). 0-3 scoring scale with N/A, auto-calculated domain and overall percentages, five-level readiness label (Critical / Fragile / Developing / Defended / Optimized). Five domain drill-down tabs: Attack Surface Inventory (30 pre-populated assets across 10 categories), Backup Resilience (3-2-1-1-0 framework, 35 controls), Identity Hardening (40+ controls across 5 domains — MFA, PAM, credentials, service accounts, conditional access), Detection & Response (40+ controls across 6 domains), Third-Party Risk.

IR Playbook Cards — 8 pre-built decision cards for specific incident moments. Each card has the DO list and the DO NOT list:

Card 1 (First 15 Minutes): Declare incident on suspicion — do not wait for certainty. Preserve evidence: do NOT power off affected systems. Isolate from network but keep powered on. Initiate out-of-band comms — assume corporate email is compromised. Disconnect backup systems from network immediately.

Cards 2-8 continue through First Hour, Containment, Scope Assessment, Ransom Demand Received, External Communications, Restoration, and After-Action. Every card has a "Do Not" list because those mistakes are made in every under-prepared incident. IR consultants charge $25K-$50K to build these from scratch for a single client.

Ransom Decision Framework — three sequential gates:

Gate 1 Legal & Sanctions: Six checks (OFAC, attribution, external counsel, FBI notification, insurance, jurisdictional restrictions). Payment to a sanctioned entity is a federal crime regardless of duress. If any sanctioned-entity indicator exists, STOP.

Gate 2 Operational Factors: Eight questions — backups intact? RTO without payment? data exfiltrated? decryptor reliability? life-safety? regulatory impact?

Gate 3 Decision Authority: Named authority, board briefing, D&O carrier, payment execution through vendor, written rationale, post-payment commitments.

Negotiation Playbook: Never-in-house principle, pricing realities ($50-70% discount typical in professional negotiations), post-payment truths (decryptors are slow, data still leaked).

Communication Plans for 12 audiences with timing, channel, and key messages pre-written.

Regulatory Matrix — 20 frameworks including all 2026 mandates that 2023 workbooks miss: DORA, NIS2, EU AI Act, Australia 72-hour mandatory payment reporting (May 2025), CIRCIA, expanded SEC 4-day rule, GDPR 72-hour, HIPAA, PCI DSS 4.0.1, NY DFS, state laws.

Tabletop Integration tab maps this workbook's controls to 7 scenarios in the Tabletop Exercise Pack — S1 Ransomware is the primary, S2/S4/S5/S6/S9/S10 as complements. Shows buyers exactly how both products work together.

Cost Exposure Calculator: 7-component financial model (downtime, ransom, remediation, legal, regulatory, reputational, forensics) pulling IBM 2026 baselines. Downtime is usually the largest component — not the ransom.

Post-Incident Recovery: 30/60/90-day sprint with 30 specific actions and named owners.

Executive Dashboard: Auto-calculated overall score, domain breakdown, status indicator.

Ecosystem Map (Tab 2): Full six-stage readiness journey — ir.breached.company (free maturity assessment) → ircost.breached.company (cost modeling) → breached.company (breach case studies) → this workbook → Tabletop Pack → incidentresponse.tools.

User Guide — 24 sections, 753 paragraphs. Standout sections: Section 6 (identity hardening for the 82% malware-free reality — the most important shift), Section 9 (Ransom Decision Framework gate by gate), Section 10 (negotiation: never in-house and why), Section 17 (the attestation gap — biggest cause of cyber insurance claim denial in 2025-2026), Section 18 (industry adjustments: healthcare/financial/manufacturing/SaaS/public sector/retail), Section 21 (presenting to CFO and board). The single most important instruction the guide delivers: pre-write your ransom payment decision policy before an incident. Board-approved. During an active incident, the document becomes the reference — not a debate topic.