Sample Assessment Report
Redacted for confidentiality
Ransomware Resiliency
Ransomware Preparedness Assessment
Confidential Client — Healthcare Provider
300-endpoint Windows environment, Veeam backup infrastructure, VMware vSphere (85 VMs), incident response process, ransomware response playbook
6 business days
CISA Ransomware Guide
Executive Summary
UnlockSec conducted a ransomware resiliency assessment simulating a modern double-extortion ransomware attack. The simulation successfully achieved domain compromise, identified backup infrastructure accessible from domain-joined systems, and determined that full restoration from backup would take 14 days — significantly exceeding the organisation's 4-day RTO. Critical gaps include backup exposure, absent segmentation, and no tested IR playbook.
Methodology
Sample Findings
Backup Infrastructure — Domain-Accessible Veeam Credentials
Description
The Veeam Backup & Replication server is domain-joined and accessible from all workstation subnets. The Veeam service account has backup administrator privileges and its credentials are stored in LSA secrets, retrievable via Mimikatz. A ransomware operator with domain admin access can delete all backup jobs and snapshots before detonating.
Recommendation
Implement immutable backups using Veeam's hardened Linux repository with one-time credentials. Air-gap at least one backup copy (offline tape or isolated cloud storage). Remove the Veeam server from the domain and use local accounts only.
No Network Segmentation — Ransomware Propagation Path
Description
All 300 endpoints and 85 VMs reside in a flat /16 network. There are no internal firewall rules restricting east-west traffic. Simulated ransomware propagation from a single compromised workstation reached all accessible systems within 4 hours using SMB and WMI lateral movement.
Recommendation
Implement network micro-segmentation separating clinical systems, administrative workstations, and backup infrastructure. Apply host-based firewall rules blocking SMB (445) and WMI between workstations. Deploy a zero-trust network access solution for clinical device connectivity.
Incident Response — No Tested Playbook, Out-of-Band Communication Absent
Description
The organisation does not have a documented ransomware incident response playbook. Tabletop exercise revealed that in the event of email system encryption, there is no alternative communication channel for the incident response team. Key IR contacts (legal counsel, cyber insurer, law enforcement liaison) are stored only in the encrypted email system.
Recommendation
Develop and rehearse a ransomware-specific IR playbook quarterly. Establish an out-of-band communication channel (Signal group, satellite phone roster). Maintain a printed emergency contact card with IR retainer, insurer, and legal contacts.
RTO Gap — Backup Restoration Takes 14 Days vs 4-Day Target
Description
A full restoration test of the 14TB VMware environment from Veeam backups took 14 days to complete — 3.5x the stated 4-day Recovery Time Objective. This gap was unknown to the IT team as restoration tests have not been performed in over 2 years.
Recommendation
Conduct full restoration tests at least annually. Implement instant VM recovery capabilities for critical systems. Prioritise recovery runbooks by system criticality — clinical systems before administrative. Invest in higher-bandwidth backup infrastructure to meet RTO.
* Showing 4 of 29 total findings. Full report provided upon engagement.
Risk Summary
Deliverables Included
- Ransomware kill-chain simulation report
- Backup architecture resiliency assessment
- RTO/RPO gap analysis
- Incident response playbook template
- Prioritised hardening roadmap (immediate / 30 / 90 day actions)
Ready for a real assessment?
Get a tailored Ransomware Resiliency engagement led by certified operators with unlimited retests.
Request AssessmentView All Services