Everybody is talking about ransomware, but no one knows exactly what to do about it, according to Qualys CEO Sumedh Thakar.

The cybersecurity vendor says it has an answer, based on analysis from Qualys researchers, in the form of a ransomware risk assessment and remediation service. And it’s giving it away for free.

“CISA and NIST and everybody’s giving very high-level guidance on ransomware,” he said. And the guidance basically boils down to fix everything. “But they don’t say what is everything? And even if customers were to fix everything, it’s too much. It’s about real risk mitigation, and how do we figure out what are the different methods that are used by ransomware attackers to get into environments.”

So Qualys researched guidance from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and National Institute of Standards and Technology (NIST), along with Mandiant’s best practices to help companies analyze their own risk exposure.

“We also looked at all the top ransomware attacks in the last five years and narrowed down the key vulnerabilities and misconfigurations and software that is exploited to get into the network,” Thakar said.

The Qualys team analyzed the leaked Conti Ransomware Playbook, high-profile attacks such as Colonial Pipeline, ransomware gangs including REvil, and strains including DarkSide. “And we collated all of that to provide customers something that is actionable,” Thakar said.

After studying these major attacks, Qualys determined that the 36 most prevalent ransomware families used about 110 common vulnerabilities and exposures (CVEs). And all of them have patches available for the past several years.

This information gives CISOs something they can measure, Thakar added. “Now a CISO can go to the board and say, ‘the stuff that we know that are commonly being used and exploited we are 90% fixed, or 80% fixed, or we were at 60% and now we are at 99% fixed.”

Meanwhile, Qualys continually monitors for new vulnerabilities and attack methods and updates companies’ risk scores accordingly.

Based on its research, Qualys developed its Ransomware Risk Assessment Service, which helps organizations identify and prioritize vulnerabilities, and then also remediate these flaws that make them vulnerable to ransomware attacks.

The service maps these vulnerabilities to available patches, which can also be directly deployed without requiring additional tools. “One of the unique things that we bring from a platform perspective is we’re not just reporting on CVEs, we actually have the ability to use the same agent to also fix and patch,” Thakar said.

The service is free for 60 days. “That’s enough time for somebody to use this not just as a gimmick,” he said. “You can actually make a real impact on your environment within the 60 days by fixing these vulnerabilities.

After the 60 days ends, then organizations can pay for the service, which includes Qualys continual monitoring for new ransomware strains and vulnerabilities.

Customers can combine this ransomware prevention service with Qualys’ Zero-Touch Patching, which provides proactive vulnerability remediation.

“You can write a rule that says as soon as Adobe releases a patch, patch my system,” Thakar explained. “So now we can create this interesting workflow, which says that as soon as Qualys researchers say that we have noticed this particular vulnerability is being leveraged in ransomware attacks, then we will automatically push the Qualys agent to patch that vulnerability. So you are getting that mitigation in an automated way.”