It’s hard to believe, but ransomware is over three decades old. While many would think the ransomware mayhem started with the 2017 WannaCry attack, this is simply the most high-profile example. Since then, dozens of ransomware strains have been used in various cyberattacks.
According to a PhishLabs report, by HelpSystems, ransomware attacks are increasing by more than 100% year over year. The report further states that ransomware operators are vandalizing crucial systems and releasing record volumes of stolen data, and that businesses victimized by an attack often feel powerless to find a solution as the threat itself is constantly evolving. . The price of ransomware attacks is also on the rise, with the average ransom demand reaching $220,298 in 2021 and associated recovery costs averaging $1.8 million.
For example, oil company Colonial Pipeline was attacked in May 2021 by ransomware cybercriminals. As a result, from rising fuel prices at the pump to the phantom of a global gas shortage and inflation, the United States was in a serious dilemma. Why? The answer was ransomware.
Security against ransomware threats is of paramount importance to almost all information security teams. This is a standard and brutal threat that can have devastating consequences for the business. Yet, even if your business has robust protection, it is necessary to simulate a ransomware attack and ensure that you are actually protected. This is why a penetration test is the most useful method of confirming that security defenses and procedures are working perfectly – and if not, of rectifying them before it’s too late.
What is a penetration test?
Penetration testing is an essential part of finding and recognizing possible critical vulnerabilities within your organization’s external network, internal network, applications or systems. They provide a useful understanding of how your business and your human resources operate.
Penetration testing is a dynamic security strategy. During a test, security professionals attempt to infiltrate or carry out a cyberattack against a system to find exploitable security flaws. In other words, penetration testing evaluates a company’s security methodologies and tools, with the goal of finding vulnerabilities in the environment. Unlike reactive security practices that spring into action when a data breach or security issue is detected, penetration testing can help uncover security issues before attackers exploit them. By thinking like an attacker, penetration testers can find security holes and weaknesses that a company would otherwise not be aware of.
Why is penetration testing essential for ransomware security?
A ransomware attack could prevent a business from operating properly, causing it to lose millions of dollars just from lost productivity. Penetration testing embraces the criminal mindset to find cybersecurity vulnerabilities before a bad actor takes advantage of them. The idea of allowing someone with a criminal mindset to seek out weaknesses in an organization supports IT managers who strive to improve standards of prevention to reduce the likelihood of such disruptive attacks. Just as a fire marshal is trained to assess the fire prevention status of a building, a penetration tester is hired to find and report exploitable weaknesses, not to disrupt the business as a proof of concept.
As technology evolves and develops, the methods used by cybercriminals also evolve. Therefore, companies must keep up with this speed to defend their assets against such attacks. They must also revise their security strategies at this rate. This is an important issue in a DevSecOps culture, in which companies execute preventive actions in the early stages of their evolution and operational procedures. This is known as “left shift” because it visualizes the first part of a development timeline, rather than the old method of locking security after the fact (which would be on the far right of the timeline of development.)
Still, it’s usually difficult to understand what techniques attackers are using. It’s also hard for a non-technical person to imagine how attackers could exploit them in an attack. By employing penetration testers, organizations can learn which parts of their systems are particularly weak to current ransomware processes and work to update and fix them. Fighting a ransomware incident is all about preparing for an attack.
Ransomware Penetration Testing: A Holistic Approach
Ransomware often occurs when attackers exploit vulnerabilities. To stop ransomware, it is important to recognize these vulnerabilities. Penetration testing methodology includes:
- Planning: the pentester develops a plan, specifying the scope of the test and known attack vectors to exploit.
- Acknowledgement: the pentester uses various tools to identify pathways, beneficial resources, and living vulnerabilities.
- Operation: the pentester attempts its attack, typically using a variety of social engineering, commonly known attack vectors, and emergent attack vectors.
- Study and analyze: the pentester compiles a report describing their attack, what they accomplished, possible damage to the business, vulnerabilities discovered, and suggestions for eradicating them and improving security procedures.
- Correction : the business should determine the critical findings of a penetration test and develop a plan to mitigate or correct the results.
Penetration testing also helps to understand which channels in your business are most at stake and therefore in which types of new security tools you should invest. This approach could help uncover various significant system shortcomings that you might not even have guessed.
You will notice that the work of the penetration tester stops on detection. Just as the fire marshal will not install fireproofing in a building being inspected, the penetration tester, unless explicitly stated otherwise, should not alter an environment. In fact, one of the tenets of testing is that if a tester discovers an issue that requires immediate resolution, such as detection of an active attack in progress, all testing should stop and company personnel should to be informed.
How can penetration testing help?
Penetration tests are primarily created to exploit potential vulnerabilities before real attackers do, and there are many benefits to performing these tests periodically. Here are some of the top reasons to perform ransomware penetration testing:
- Identification of vulnerabilities. Penetration will help businesses find vulnerabilities that might otherwise remain invisible.
- Cyber defense tests. You will also get an idea of your company’s cyber defense capability, threat alert capabilities, and reaction times.
- Firewall inspection. Specifically, you will see how useful your existing firewall software and configurations are against possible attacks.
- New threat. Penetration testers hired will typically use the latest tactics, tools, and techniques from attackers, allowing you to understand if your defenses are sufficient against creative threats.
- Regulatory conformity. Penetration testing typically supports your cyber defenses to comply with regulations pertaining to your industry or business practices.
- Downtime devaluation. When an attack occurs, penetration testing ensures that your security teams understand exactly how to react to restore the system to a normal state as quickly as possible.
- Prioritization of risks. After running a penetration test, you will have a better understanding of the risks to corporate data and systems and how to prioritize your resources to reduce those risks.
Let’s take a closer look at how a penetration tester can run a ransomware exposure test. The following examples are just a few of the few attack cases, and penetration testing will inherently use innovative approaches to demonstrate various exploits.
The end goal of the penetration tester is to infiltrate the company, simulate the deployment of ransomware and delineate the affected target.
Some attack vectors
The pentester will typically attempt to infiltrate the target system using one of the following attack vectors:
- Phishing email: the pentester can design an email connected to a mock website or include a weaponized attachment. Threat actors will try to trick at least one administrative employee into clicking on the link or attachment to demonstrate their sensitivity.
- Remote Desktop Protocol (RDP): if the company uses RDP or an equivalent remote access protocol, the pentester can compromise a user’s RDP login data and use it to gain remote access to a machine on the company’s network. The pentester can then run a harmless program to show that executing the file would be possible.
- Immediate infection: some ransomware can circulate instantly on vulnerable machines. For example, WannaCry used an SMB vulnerability in older versions of Windows. The pentester can monitor machines on the network, recognize which ones have the vulnerability, and use it to show that the machine might be a target for ransomware.
Every company should incorporate penetration testing into their security strategy. Working closely with a penetration testing partner will help you streamline the procedure, effectively identify vulnerabilities, and offer guidance in executing risk mitigation technologies against ransomware attacks. Using an external penetration testing organization also adds more reliable objectivity to the test.
About the Author: Prasanna Peshkar is a cybersecurity researcher, educator, and cybersecurity technical content writer. He is interested in performing audits by assessing threats and vulnerabilities in web applications. He is interested in new attack methodologies, tools and frameworks. He also spends time researching new vulnerabilities and understanding emerging cybersecurity threats in blockchain technology.
Editor’s note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc.