Skip to content
Signals
Monitoring NVD, CISA KEV, EPSS and the Dragons Community ransomware tracker in near-real timeMonitoring NVD, CISA KEV, EPSS and the Dragons Community ransomware tracker in near-real time
Dragons Community

Resources · Documents

Ransomware Readiness Assessment

· Document
By Dragons Community Incident Response· ransomware · assessment · readiness

All intelligence content is fictional, redacted and defensive. No real credentials, stolen data, exploit instructions, malware links, payment information or private personal data is published. This assessment is for defensive use only. Use it to evaluate and strengthen your own organization's controls. Findings should feed a prioritized remediation plan, not serve as a one-time checkbox exercise.

Ransomware remains one of the most disruptive threats facing organizations of every size, capable of halting operations, destroying data, and triggering regulatory and reputational fallout. This self-assessment helps security and IT teams gauge how prepared they are to prevent, detect, contain, and recover from a ransomware incident. It is organized around the controls emphasized by CISA #StopRansomware guidance and the Cross-Sector Cybersecurity Performance Goals (CPGs), mapped loosely to the NIST Cybersecurity Framework functions. Work through each section honestly, answering every readiness question as yes only when the control is implemented, documented, and verified in practice. Any no or unsure answer marks a gap to prioritize.

Backups and Recovery

Reliable, tested, and isolated backups are the single most important factor in surviving a ransomware event without paying a ransom. Modern ransomware actively seeks out and deletes or encrypts backups, so copies must be immutable or offline and outside the reach of normal domain credentials.

Aim for the 3-2-1 pattern at minimum: three copies of data, on two different media types, with one copy kept offline or in immutable storage. The only backup that matters is one you have proven you can restore within your recovery time objectives.

  • Do we follow a 3-2-1 backup strategy (three copies, two media types, one offline or off-site)?
  • Is at least one backup copy immutable or air-gapped so it cannot be altered by compromised accounts?
  • Are backups encrypted at rest and protected by credentials separate from production domain accounts?
  • Have we performed and documented a full restore test within the last three months?
  • Do we have defined and validated Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) for critical systems?
  • Are backup systems monitored for failures, deletions, and anomalous mass-change activity?

Identity and Access Management

Stolen or weak credentials are a primary ransomware entry point and the main vehicle for lateral movement. Phishing-resistant multi-factor authentication and disciplined least-privilege access dramatically reduce an attacker's ability to escalate and spread.

Pay particular attention to privileged accounts, service accounts, and any remote or administrative access path, which are the highest-value targets during the intrusion phase.

  • Is MFA enforced on all remote access, email, VPN, and privileged accounts?
  • Are we moving toward phishing-resistant MFA (FIDO2 or hardware tokens) for administrators?
  • Do we apply least-privilege access and review entitlements at least quarterly?
  • Are local administrator passwords unique per host (for example, via LAPS) rather than shared?
  • Are inactive, orphaned, and default accounts disabled or removed on a regular cadence?
  • Is privileged access logged, time-bound, and granted only through approved workflows?

Network Segmentation and Exposure

Flat networks let ransomware propagate from a single foothold to the entire estate within hours. Segmentation limits blast radius, and reducing internet-facing exposure removes the most commonly abused initial-access vectors.

Exposed Remote Desktop Protocol (RDP), unpatched VPN appliances, and management interfaces reachable from the internet are repeatedly cited in CISA advisories as ransomware entry points. They should be eliminated or placed behind strong access controls.

  • Have we confirmed that no RDP or management interfaces are directly exposed to the internet?
  • Is remote access brokered through MFA-protected VPN or zero-trust access rather than open ports?
  • Are critical assets, OT/ICS, and backup infrastructure isolated in separate network segments?
  • Do we maintain an accurate, current inventory of all external-facing services and IP ranges?
  • Are east-west traffic flows restricted by firewall rules or microsegmentation?
  • Do we regularly scan our external perimeter for unexpected open ports and exposed services?

Patch and Vulnerability Management

Ransomware groups routinely weaponize known vulnerabilities, often within days of disclosure. Prioritizing the CISA Known Exploited Vulnerabilities (KEV) catalog ensures the flaws most likely to be used against you are remediated first.

A mature program combines timely patching with risk-based prioritization, compensating controls for systems that cannot be patched immediately, and verification that patches actually applied.

  • Do we remediate CISA KEV-listed vulnerabilities within defined, aggressive timelines?
  • Is there a documented patch management process with SLAs by asset criticality?
  • Do we run authenticated vulnerability scans across the environment at least monthly?
  • Are internet-facing systems patched on an accelerated schedule compared to internal ones?
  • Do we track and apply compensating controls for unpatchable or end-of-life systems?
  • Do we verify patch deployment and remediation rather than assuming success?

Email and Endpoint Defense

Phishing and malicious attachments remain a leading ransomware delivery method, while endpoints are where payloads ultimately execute. Layered email filtering combined with endpoint detection and response (EDR) gives defenders both prevention and early detection.

Endpoint controls should block known malicious behavior, restrict script execution, and feed telemetry into a monitored detection pipeline so encryption attempts can be halted before they spread.

  • Is EDR or equivalent deployed and actively monitored on all servers and workstations?
  • Do we filter inbound email for malicious attachments, links, and spoofed senders (SPF, DKIM, DMARC)?
  • Are macros from the internet blocked by default across the organization?
  • Is application allow-listing or script execution control in place for high-risk endpoints?
  • Do endpoints automatically isolate from the network when EDR detects ransomware behavior?
  • Are endpoint and email defenses tuned and reviewed against current threat intelligence?

Detection and Monitoring

Early detection of pre-encryption activity such as credential theft, lateral movement, and backup tampering can mean the difference between an isolated incident and an enterprise-wide outage. Centralized logging and alerting are prerequisites for both detection and post-incident forensics.

Detection should focus on the behaviors that precede ransomware deployment, not just the encryption event itself, and alerts must reach staff who can act on them around the clock.

  • Are logs from endpoints, identity, network, and cloud centralized in a SIEM or log platform?
  • Do we have alerting for suspicious behaviors such as mass file changes, shadow copy deletion, and privilege escalation?
  • Is log retention sufficient (typically 90 days or more) to support investigation?
  • Do we have 24/7 monitoring coverage, whether in-house or via a managed service?
  • Have we deployed detections for known ransomware TTPs mapped to MITRE ATT&CK?
  • Are detection rules tested and validated through purple-team or tabletop exercises?

Incident Response Planning

A documented, rehearsed incident response plan turns chaos into coordinated action during a ransomware event. The plan must define roles, decision authority, communication paths, and the specific steps to isolate, eradicate, and recover.

Critically, the plan should address legal, regulatory, and communications considerations, and explicitly outline the organization's position on ransom payment and engagement with law enforcement before an incident occurs.

  • Do we have a written, ransomware-specific incident response plan with defined roles and contacts?
  • Have we exercised the plan through a tabletop or simulation in the last 12 months?
  • Are out-of-band communication channels established in case primary systems are encrypted?
  • Do we have predefined legal, PR, insurance, and law-enforcement contacts (including CISA reporting)?
  • Is there a documented decision framework regarding ransom payment and its legal implications?
  • Are recovery runbooks for critical systems documented and accessible offline?

User Awareness and Training

People are both the first target and the first line of defense. Regular, relevant security awareness training reduces the likelihood that a phishing email or malicious link becomes the foothold for an attack.

Effective programs go beyond annual compliance training, using simulated phishing, role-specific guidance, and a no-blame reporting culture that encourages staff to flag suspicious activity quickly.

  • Do all staff complete security awareness training at onboarding and at least annually?
  • Do we run regular simulated phishing campaigns and coach those who fall for them?
  • Is there a simple, well-publicized way for users to report suspicious emails?
  • Do privileged users and high-risk roles receive targeted, role-specific training?
  • Are users trained to recognize ransomware warning signs and to report them immediately?
  • Do we measure training effectiveness and adjust based on phishing and incident metrics?

References