Penetration testing

Ransomware penetration testing: Verifying your ransomware readiness

Gilad Maayan
March 31, 2022 by
Gilad Maayan

Ransomware is a top priority for almost all information security teams. It is a common, severe threat that can have devastating consequences for the organization. However, even if your organization has defenses in place, it is critical to simulate a ransomware attack and ensure that you really are protected. A penetration test is the best way to verify that defenses and security processes are working correctly — and if not, which is often the case, remediate them before it is too late.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

What is penetration testing?

Penetration testing is an active security method. Security experts known as ethical hackers attempt cyberattacks against a system to discover and fix security weaknesses. Penetration tests evaluate an organization's security processes and tools and discover vulnerabilities in underlying infrastructure. 

Unlike reactive security techniques that come into action when a breach or security issue is discovered, penetration testing can help discover security issues and remediate them before threats exploit them. By thinking like an attacker, penetration testers can discover security gaps and flaws that an organization would otherwise not be aware of.

Why is pentesting necessary for ransomware defense?

A ransomware attack could prevent an organization from accessing the devices, data, servers and networks it depends on to carry out business. Such an attack could cause a loss in revenue of millions of dollars. 

Pentesting adopts the hacker perspective to discover and mitigate cybersecurity weaknesses before taking advantage of them. This process helps IT leaders implement ransomware prevention measures that decrease the likelihood of effective attacks. 

Technological innovation is a key challenge for cybersecurity. As technology grows and develops, so do the strategies used by cybercriminals. Organizations need to keep up with this pace to protect their assets and themselves from such attacks. They also need to update their security methods at this rate. This is an important part of a DevSecOps culture, in which organizations shift security left to implement preventive measures at the early stages of their development and operational processes.

However, it is generally challenging to know which strategies attackers are using. It's also difficult to predict how attackers could use them in an attack. Organizations can effectively and quickly update, identify and replace aspects of their systems that are particularly vulnerable to modern ransomware techniques by using adept ethical hackers. 

Withstanding a ransomware incident comes down to how to prepare before the attack. You need to establish a tight backup strategy. Then, analyze your vulnerabilities via penetration testing. And then test recovery procedures to familiarize and prepare your team with your recovery plans and defense systems. 

Here are the key reasons for testing your ransomware defenses: 

  • Shifting threats: cybersecurity threats are changing and evolving. Periodically evaluating potential weaknesses and testing your recovery practices help you deal with unforeseen events. 
  • Compliance: Some industries need to provide proof of recovery testing and vulnerability assessment to meet regulations.
  • Establishing a culture of preparedness: familiarizing your employees with testing and recovery processes prepares them if the real event occurs. They will know precisely what to do in real-time. 
  • Prioritizing budgets: discovering potential vulnerabilities and threats helps your team prioritize spending related to mission-crucial endeavors to secure your organization. 

Ransomware penetration testing: A general process

Ransomware often occurs as a result of attackers exploiting vulnerabilities. To prevent ransomware, it is essential to identify those vulnerabilities. A penetration tester acts like a ransomware attacker, looking for paths that would enable outsiders to plant a ransomware threat.

A ransomware penetration testing process should include these steps:

  1. Planning: the pentester creates a plan, identifying the scope of the test and the general attack vectors she plans to use.
  2. Reconnaissance: the pentester uses scanning tools to identify entry paths, valuable resources and existing vulnerabilities.
  3. Exploitation: the pentester attempts their attack, typically using a combination of social engineering, known attack vectors described by OWASP and MITRE ATT&CK, and novel attack vectors.
  4. Review and analyze: the pentester creates a report explaining their attack, what they achieved, the potential damage to the organization, vulnerabilities they discovered and recommendations for remediating them and improving security processes.
  5. Remediation: the organization must identify the critical findings from a penetration test and immediately resolve security weaknesses.

Walkthrough of a ransomware penetration test

Let's take a closer look at how a penetration tester might conduct a test for ransomware vulnerabilities. Of course, this can only cover a few attack possibilities, and actual penetration tests will naturally use creative variations.

The end goal of the pentester is to penetrate the target system, deploy ransomware, and demonstrate that it can encrypt sensitive files.

Infection and distribution vectors

The pentester will typically attempt to penetrate the target system using one of the following infection vectors:

  • Phishing email: the pentester can create an email linked to a malicious website or containing a malicious attachment. Bad actors will attempt to trick at least one organizational user to open the link or attachment and compromise their device.
  • Remote Desktop Protocol (RDP): if the organization uses RDP or a similar remote access protocol, the pentester can compromise a user's RDP login credentials and use them to gain remote access to a computer in the corporate network. The pentester can download and execute ransomware directly on the machine using this access.
  • Direct infection: some ransomware can spread directly to vulnerable systems. For example, WannaCry exploited an SMB vulnerability in older versions of Windows. The pentester can scan systems on the network, identify those with the vulnerability, and use it to infect them with ransomware. 

Lateral movement

After infecting at least one system in the corporate network, the pentester should try to move laterally to additional systems:

  • Employee workstations will typically be connected to file servers, email servers, cloud systems etc. The pentester should attempt to access those connected systems to deploy the ransomware.
  • Web servers will have access to various back-end systems such as databases. The pentester should attempt to deploy the ransomware on any back-end systems.
  • In general, the pentester will perform internal port scanning, identify any system they can access from the compromised device, and deploy ransomware.

Privilege escalation

The pentester should now attempt to gain higher privileges on the current device, account, or additional compromised entities. Through social engineering, exploiting vulnerabilities or weak authentication systems, it may be possible to gain root access to a sensitive system, admin access to the network, or even superuser access. In this case, the pentester can deploy ransomware on the entire network.

Data encryption and ransom demand

In a penetration test, the goal is to perform the attack without causing actual damage. Therefore, there can be several approaches to demonstrating ransomware is deployed successfully without damaging sensitive files:

  • The pentester can deploy ransomware without activating it
  • The organization can prepare dummy files in pre-specified directories, and the pentester can demonstrate a successful attack by encrypting these dummy files
  • To conduct a complete end-to-end test of a ransomware attack, the organization can safely backup files and prefer to use ransomware that has a known decryptor. However, this is risky and should be carefully planned and coordinated with the pentester.

Naturally, in a pentest, ransom will not be demanded from the organization.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

The importance of pentesting and ransomware

Simulating a realistic ransomware attack is important for a pentester's defense strategy. While an organization might have the tools and security processes, verifying they are working is critical. Any lapses in the security process must be discovered before an actual attack takes place. This is exactly what a successful penetration test can achieve.

Gilad Maayan
Gilad Maayan

Gilad David Maayan is a technology writer who has worked with over 150 technology companies including SAP, Imperva, Samsung NEXT, NetApp and Ixia, producing technical and thought leadership content that elucidates technical solutions for developers and IT leadership. Today he heads Agile SEO, the leading marketing agency in the technology industry.