Ransomware Assessment & “Probability”

Purpose

This report provides a consulting-grade ransomware susceptibility model:

deterministic base scoring (Likelihood + Impact → RiskIndex)
an interpretive “probability band” (communication aid, not a forecast)
ranking by asset group
a what-if controls modal (self-attested controls) that recalculates adjusted risk

Output

Per scan: output/<scan_name>/ransomware.html

Optional model artifact (only when metadata export is enabled):

output/<scan_name>/ransomware_model.json

Model JSON is written when notifications.include_run_metadata: true.

How to generate

CLI:

miyabi-qualys-ai-triage-pack run --config config/config.yaml

Configuration

Enable/disable:

reports.ransomware.enabled: true|false

Grouping:

reports.ransomware.grouping.enabled
reports.ransomware.grouping.grouping_mode (e.g., rules_then_prefix)
reports.ransomware.grouping.asset_groups_path (default: asset_groups.json)
reports.ransomware.grouping.prefix_regex
reports.ransomware.grouping.fallback_group_id

Controls catalog:

reports.ransomware.controls.catalog_path (default: data/ransomware_controls.json)
reports.ransomware.controls.allow_target_posture_preset

Scoring:

reports.ransomware.scoring.top_m_aggregates
reports.ransomware.scoring.w_likelihood
reports.ransomware.scoring.w_impact
reports.ransomware.scoring.tls_exposure_multiplier
reports.ransomware.scoring.probability_bands

UI:

reports.ransomware.ui.enable_controls_modal
reports.ransomware.ui.top_groups
reports.ransomware.ui.top_drivers_per_group
reports.ransomware.ui.max_rows_render

Optional redaction:

reports.ransomware.redaction.enabled
reports.ransomware.redaction.fields

Optional LLM narrative (guardrailed / JSON-only):

reports.ransomware.llm.enabled
reports.ransomware.llm.model
reports.ransomware.llm.max_groups_for_llm
reports.ransomware.llm.max_drivers_for_llm
reports.ransomware.llm.strict_json_only

Data sources (Qualys CSV fields)

Primary drivers are derived from:

Severity, Exploitability, Port, Protocol, SSL
asset identifiers: FQDN/DNS/NetBIOS/IP (used for grouping)
lifecycle hints where present (to add context for modernization-driven exposure)

What “probability” means here

Interpretation of the “probability” band

The report’s percentage is an interpretive band mapped from a deterministic RiskIndex. It is not a statistical forecast of real-world ransomware events.

PreviousVulnerabilities × MITRE ATT&CK NextEULA

hashtagPurpose

hashtagOutput

hashtagHow to generate

hashtagConfiguration

hashtagData sources (Qualys CSV fields)

hashtagWhat “probability” means here