Ransomware Readiness Assessment: Guide & Methodology
Is your organization prepared for a ransomware attack? The Ransomware Readiness Assessment evaluates your prevention, detection, and recovery capabilities in three steps. On this page, you can learn how the assessment works, the methodology behind it, and how to use the results.
What is the Ransomware Readiness Assessment?
The Ransomware Readiness Assessment is an interactive tool that evaluates how well your organization is prepared for a ransomware attack. Ransomware is no longer a matter of "if" but "when": according to the Sophos State of Ransomware Report, more than 60% of organizations are affected. The question is not whether you will be attacked, but whether you can recover without paying a ransom.
The assessment analyzes the full ransomware kill chain: from prevention and detection to response and recovery. In three steps, you inventory your current measures and receive a readiness score with concrete recommendations. The tool is designed for IT managers, system administrators, CISOs, and executives who want insight into their vulnerabilities and need to know where to invest.
All responses are processed locally in your browser. No data is sent to a server, so you can complete the assessment without any concerns about confidentiality.
Methodology and data sources
The assessment is based on multiple authoritative sources that together provide a comprehensive picture of the ransomware threat and best practices for defense.
NIST SP 800-82 and the Cybersecurity Framework
The structure of the assessment follows the NIST Cybersecurity Framework with its five functions: Identify, Protect, Detect, Respond, and Recover. This framework is the international standard for assessing cybersecurity maturity and is recommended as a reference by both national cybersecurity agencies and the EU. Each question in the assessment is mapped to one or more NIST functions.
Sophos State of Ransomware Report
The Sophos report provides annual insights into ransomware prevalence, average ransom amounts, the percentage of organizations that pay, and the effectiveness of various defense measures. This data is used to calibrate the weighting of individual measures and to enable sector comparisons.
Coveware Quarterly Ransomware Reports
Coveware publishes quarterly data on ransomware incidents, including average downtime, recovery times, payment rates, and the most commonly used attack vectors. This operational data forms the basis for the impact estimates in the assessment, particularly the relationship between measures and expected recovery time.
Kill chain approach
The assessment evaluates the full ransomware kill chain. A ransomware attack proceeds in phases: gaining initial access (often via phishing or vulnerabilities), lateral movement within the network, privilege escalation, data exfiltration in double extortion scenarios, and ultimately encryption. Effective defense requires measures at every phase, as no single defensive layer is one hundred percent effective.
How does the assessment work? (3 steps)
Prevention & Detection
The first step focuses on your first line of defense. You begin by evaluating your backup strategy, the most critical factor in ransomware resilience. The options range from "no backups" through "local backups only" and "offsite but untested" to the gold standard: a tested 3-2-1 strategy with at least three copies, two media types, and one offsite location.
Next, you inventory the preventive measures in place:
- Network segmentation — limits the lateral movement of ransomware after an initial compromise. Without segmentation, an attacker can encrypt the entire network from a single compromised workstation.
- Email filtering — blocks phishing emails and malicious attachments, the most common initial attack vector for ransomware.
- EDR/antivirus — detects and blocks known and unknown malware on endpoints. EDR provides significantly better protection than traditional antivirus through behavioral analysis.
- Privilege management — the principle of least privilege ensures that users and processes only have the minimum necessary permissions. This makes privilege escalation by attackers more difficult.
- Macro blocking — blocks Office macros, a frequently used method to activate malware via email attachments.
- USB restriction — prevents infection via physical media and limits the ability to exfiltrate data.
Assume that attackers will get through your prevention. That is why the next step is equally important.
Detection & Monitoring
Rapid detection limits damage exponentially. The sooner you discover a ransomware infection, the fewer systems get encrypted and the smaller the blast radius. In this step, you evaluate the depth of your monitoring:
- SIEM/centralized logging — centralized log collection and correlation makes it possible to recognize patterns that remain invisible on individual systems.
- 24/7 SOC monitoring — a Security Operations Center that continuously and actively monitors ensures that alerts are acted upon outside of business hours as well. Many ransomware attacks start on weekends or during the night.
- Anomaly detection — identifies abnormal behavior such as mass file modifications, unusual network patterns, or suspicious process activity that may indicate encryption.
- Honeypots and canary files — decoy files and fake systems that immediately trigger an alarm when accessed. An extremely effective early warning for lateral movement.
- Vulnerability scanning — regular scans identify vulnerabilities before attackers exploit them. Unpatched systems are one of the three most commonly used attack vectors.
- Dark web monitoring — detects whether stolen credentials or data from your organization are being traded, which may indicate an ongoing or upcoming attack.
You also indicate how quickly you expect to detect a ransomware infection: within hours, within a day, multiple days, or unknown. This estimate is correlated with the detection measures in place to assess reliability.
Response & Recovery
The difference between paying a ransom and recovering successfully depends on your preparation. The third step assesses whether you can actually recover when things go wrong:
- Ransomware-specific IR plan — a generic incident response plan is not sufficient. Ransomware requires specific decisions: whether or not to pay, communication with attackers, isolation strategy, and order of recovery.
- IR team — a predefined team (internal or external) with clear roles and mandates. During a crisis, there is no time to figure out who does what.
- Communication plan — internal and external communication during and after an attack. Who informs employees? Who communicates with customers, the press, and regulators?
- Legal and insurance — pre-arranged contact with a specialized law firm and the cyber insurer. During an incident, hours count, not days.
- Offline data copy — a copy of critical data that is not accessible via the network. This is the ultimate protection against ransomware that targets backup systems.
- Recovery test — the only way to know if your backup actually works is to test it. Organizations that regularly perform recovery tests recover on average five times faster.
Finally, you specify your Recovery Time Objective (RTO): the maximum acceptable downtime. The options range from less than 4 hours to more than a week. The assessment evaluates whether your current measures are realistic enough to meet your RTO.
What results do you receive?
After completing the three steps, the assessment generates a comprehensive result:
- Readiness score (0-100) — an overall score that reflects your general ransomware resilience. Scores below 40 indicate high risk, 40-70 is average, and above 70 indicates good preparedness.
- Category scores per domain — individual scores for backup, prevention, detection, response, and recovery. This shows where you are strong and where the biggest gaps are.
- Estimated downtime impact — based on your measures and RTO, the assessment estimates the expected recovery time in the event of an attack, including the financial impact of that downtime.
- Concrete recommendations — a prioritized list of improvements based on your weakest categories. Each recommendation is linked to the expected impact on your readiness score.
The results are immediately actionable for identifying weaknesses in your defense and prioritizing investments. Share the report with your IT team or management to build support for improvements.
The free report
- Overall readiness score with classification
- Category scores for backup, prevention, detection, response, and recovery
- Top 3 strengths and top 3 areas for improvement
- Prioritized advice based on your weakest category
- Suitable for sharing with your IT team or management
The free report provides a clear overview of your ransomware resilience. You receive the overall score, a breakdown by domain, and concrete recommendations that you can discuss directly with your team. The report is deliberately kept concise so that it is also accessible to non-technical decision-makers. Use it as a starting point for a conversation about ransomware preparedness.
The premium report (€ 79,-)
- Detailed analysis of 6 categories: prevention, detection, backup, incident response, business continuity, and recovery
- Ransomware-specific IR decision tree: step by step through the critical decisions
- Backup evaluation: is your strategy truly ransomware-proof according to the 3-2-1 standard?
- Financial impact analysis: estimated costs in the event of an attack based on your profile
- Sector comparison with Sophos and Coveware data
- Concrete recovery plan with timeline and responsibilities
- 15-30 page report, directly usable for management and auditors
The premium report transforms the assessment results into a complete ransomware defense plan. The analysis goes deeper than the six categories of the free report: each measure is individually evaluated with an explanation of why it is important and what the risk is if it is missing.
The ransomware-specific IR decision tree guides you through the critical decisions during an attack: when do you isolate systems? How do you communicate with the attacker (if that is even advisable)? Which systems do you restore first? Should you involve law enforcement? This decision tree is based on best practices from incident response teams that handle ransomware incidents on a daily basis.
The backup evaluation tests your strategy specifically for ransomware resilience. Many organizations have backups that are technically correct but cannot withstand modern ransomware that specifically targets backup systems. The report assesses whether your backups are immutable, whether they are stored offline or air-gapped, and whether your recovery procedure has actually been tested under realistic conditions.
The financial impact analysis calculates the expected costs in the event of an attack: direct costs (incident response, forensic investigation, recovery), indirect costs (productivity loss, revenue loss), and long-term costs (reputational damage, customer attrition). The sector comparison based on Sophos and Coveware data shows how you score compared to similar organizations in your industry.
Free vs. premium
| Component | Free | Premium |
|---|---|---|
| Overall readiness score | Yes | Yes |
| Category scores per domain | Yes | Yes |
| Top areas for improvement | Yes | Yes |
| Estimated downtime impact | Yes | Yes |
| Analysis of 6 categories with individual measures | No | Yes |
| Ransomware IR decision tree | No | Yes |
| Backup evaluation (3-2-1 test) | No | Yes |
| Financial impact analysis in case of attack | No | Yes |
| Sector comparison (Sophos/Coveware) | No | Yes |
| Concrete recovery plan with timeline | No | Yes |
| 15-30 page management report | No | Yes |
Frequently Asked Questions
How likely is a ransomware attack?
According to the Sophos State of Ransomware Report, more than 60% of organizations worldwide are affected by ransomware. SMBs are increasingly targeted: these organizations often have fewer security measures in place but still possess valuable data. The question is not whether you will be attacked, but when, and whether you will be able to recover.
Should you pay the ransom in a ransomware attack?
The advice from law enforcement, national cybersecurity agencies, and virtually all security experts is not to pay. Paying funds criminal organizations and offers no guarantee of full data recovery: according to Coveware, approximately 25% of paying organizations do not get all their data back. Moreover, paying makes you an attractive target for repeat attacks. A solid 3-2-1 backup strategy and a tested recovery plan make paying unnecessary.
What is a 3-2-1 backup strategy?
The 3-2-1 rule is the gold standard for backups: maintain at least three copies of your data, on at least two different media (for example, disk and tape or cloud), with at least one copy offsite or offline. Increasingly, this is extended to 3-2-1-1-0: an additional immutable (unchangeable) copy and zero errors in recovery testing. Immutable backups are crucial because modern ransomware specifically targets backup systems.
How quickly should you be able to recover after ransomware?
The average recovery time after ransomware is 21 days according to Coveware data. For most organizations, that is unacceptable. Your Recovery Time Objective (RTO) should be aligned with your business-critical processes. Organizations with tested recovery procedures and immutable backups often recover within hours to a few days. The assessment evaluates whether your measures are realistic enough to meet your desired RTO.
Does cyber insurance help with ransomware?
Cyber insurance can limit the financial impact, but is not a substitute for strong security. Insurers are imposing increasingly strict requirements: MFA, EDR, network segmentation, a tested IR plan, and adequate backups are often mandatory to even qualify for a policy. Fewer and fewer insurers cover the ransom itself. Use insurance as a safety net alongside, not instead of, technical and organizational measures.
What does ransomware downtime cost?
The cost of ransomware downtime for a mid-sized business ranges between 100,000 and 500,000 euros, excluding any ransom. This includes employee productivity loss, direct revenue loss, hiring external incident response and forensic experts, potential hardware replacement, and long-term reputational damage. Businesses in sectors with high availability requirements, such as healthcare and logistics, often see costs rise even further.
How do you protect against double extortion?
In double extortion, attackers steal your data before encrypting it and threaten to publish it if you do not pay. This means good backups alone are not sufficient. Protection requires a combination of: Data Loss Prevention (DLP) to detect unauthorized data exfiltration, network segmentation to limit lateral movement, monitoring for unusual outbound data flows, encryption of sensitive data at rest, and a communication plan in case data actually becomes public.
Start the assessment
Evaluate your ransomware resilience in three steps and receive a readiness score with concrete recommendations. Completely free, no registration required.
Premium — € 79,-Complete defense plan
Receive a 15-30 page report with IR decision tree, backup evaluation, financial impact analysis, and concrete recovery plan.