Your Guide To Ransomware Penetration Testing

Overview

Ransomware has ignited crisis-level concerns for global businesses of all sizes. In recent years, the number of ransomware attacks has been exponentially increasing, and this trend is forecasted to continue over the next decade. In 2021 ransomware damages were estimated to be around $20 billion USD — an almost 60X increase above the recorded costs in 2015, and forecasted damages are expected to reach a staggering $250 billion USD by 2031. The number of ransomware attacks increased by 13 percent above 2020 and accounted for 25% of all successful cyber breaches. Although the industries most impacted by ransomware attacks were healthcare, financial services, and IT, the impact of ransomware spanned across all industries and has included national governments and critical infrastructure.

This guide includes:

The basics of Ransomware Penetration Testing
An overview of the ransomware threat environment
What does Ransomware Penetration Testing include?
What is Raas?
Double and triple ransomware extortion
What you can do to protect your data from ransomware
Cyber insurance and penetration testing
Should you pay the ransom?
Factors that influence the cost
What you can expect from a report

In response to the growing threat, new regulations for protecting consumer privacy have been enacted, and expectations for evidenced IT security compliance put pressure on organizations and impact how they manage their cybersecurity risk. The availability of cyber insurance has also seen increasing demands for evidence of continuous cybersecurity operations as a prerequisite for coverage.

Many organizations are being forced to rethink their existing IT security protections and seek out more effective and efficient ways to protect their assets and assure their operational resilience. A refactored approach should include activities that specifically test an organization's ability to withstand the ransomware threat. Simulating real-world cyber-attacks that emulate the tactics, techniques, and processes (TTP) of known ransomware threat actors provides the most reliable evidence of an organization's cybersecurity capabilities. Ransomware-specific penetration testing services determine which systems and data ransomware attacks are most likely to target and fairly evaluate an organization's ability to defend against ransomware, including its ability to recover from a successful ransomware attack.

By understanding the nature of the threat, and strategic options for strengthening defences against ransomware, leaders can make more informed decisions about whether Ransomware Penetration Testing services are appropriate for their organization.

Who Will Benefit From This Guide?

C-level executives that deal with IT security (CISOs/CSOs/VP of security)
Other high-level management (CEO/Business Owner/ Business Executive)
Managed Service Providers (MSP)
Cybersecurity Architects, Network Architects, and Network Administrators

This guide can also help to inform other IT professionals such as MSPs, IaaS, PaaS, and SaaS providers.

What Is Ransomware Penetration Testing?

Penetration testing in general is the process of simulating cyber-attacks against an organization to assure that the security controls in place are effective, uncover and mitigate any vulnerabilities residing within an environment, and provide a detailed attack narrative to properly assess an environment's cyber-resilience. Penetration testing activities are often categorized by their purpose into the following types:

Objective-based Penetration Testing - focuses on achieving a particular goal, and the most common goal is to gain access to unauthorized systems, or steal sensitive data. Objective-based Penetration Testing simulates an attack by an external threat actor by first testing the security controls that protect external attack surfaces.
Infrastructure Penetration Testing - focuses on identifying ways an attacker can move around the LAN and what sensitive data could be stolen or otherwise negatively impacted. An Infrastructure Penetration Test is more tactically focused on lateral movement, privilege escalation, and persistent command and control (C2).
Application Security Testing - focuses on web, mobile, and native desktop applications and packages to identify exploitable vulnerabilities and protect against cyber-attacks.

A Ransomware Penetration Testing includes a full penetration test as well as both technical and non-technical assessment components that gauge an organization's level of cybersecurity maturity, identify security gaps in people, processes, and technology across an organization, and test an organization's ability to respond to and recover from a ransomware attack.

Full Penetration Test - includes any applicable activities from PacketLabs' Objective-based Penetration Testing (OBPT), Infrastructure Penetration Testing (IPT), and Application Security Testing (AST) service offerings
Technical Ransomware Assessment - inspects existing IT infrastructure to uncover attack surfaces that ransomware attackers will find attractive. This includes a detailed review of on-prem network and endpoint configurations, cloud application configurations, and authentication and encryption mechanisms. The result is a list of security gaps and weaknesses that could allow ransomware to impact critical systems and data.
Non-technical Ransomware Assessment - evaluates an organization's administrative policies, controls, and risk strategy and compares them to industry standard best-practices to determine an organization's level of cybersecurity preparedness and estimate its ability to respond to and recover from a ransomware attack. The result is a list of observations and recommendations for preventing ransomware attacks.

Together, the full penetration test, technical assessment, and non-technical assessment estimate the potential impact of known TTP commonly used by ransomware threat actors and provide insight that can be directly translated into improved security policies and controls.

Why Is Ransomware Penetration Testing Important?

Ransomware is the foremost cyber-threat in the world today. Individual large enterprises have suffered financial damages well into the tens of millions of dollars and small and medium sized companies have a low survival rate with 75% expecting to go out of business after a successful attack.

Cybersecurity programs depend on security products such as malware scanners, next-gen firewalls, content proxies, network intrusion detection and prevention systems (NIDS/NIPS) and endpoint detection and response (EDR) solutions to prevent malware from entering the internal network and executing on endpoints. Ransomware Penetration Testing creates an opportunity to verify those products are configured properly to effectively defend against ransomware threat actors.

Ransomware Penetration Testing delivers irreplaceable evidence-based insight into an organization's people, processes, and technology that can be used to strengthen cyber-resilience, and ensure that it can effectively recover from a ransomware attack and achieve target recovery time objectives (RTO) and recovery point objectives (RPO) to maintain business operations indefinitely.

What Does Ransomware Penetration Testing Include?

PacketLabs' Ransomware Penetration Test includes a full penetration test, a non-technical ransomware assessment, and a technical ransomware assessment. The full penetration test can be custom configured to include any applicable elements from PacketLabs' Objective-based, Infrastructure, and Application Penetration Test service offerings. Below we will describe the non-technical ransomware assessment, and technical ransomware assessment and how they benefit an organization's security posture with respect to ransomware attacks.

Non-Technical Ransomware Assessment

The non-technical component of a Ransomware Penetration Test follows the NISTIR-8374 Ransomware Risk Management framework to evaluate an organization's preparedness according to industry standard best-practices and assesses the potential impact of a ransomware attack on the organization. The non-technical assessment benefits an organization through engagement with a qualified external third party to thoroughly evaluate whether existing policies and controls provide the level of protection required to meet an organization's risk objectives and whether they can sufficiently reduce the probability of suffering a ransomware attack and respond and recover to a successful attack if one happens.

The non-technical ransomware assessment component is comprised of administrative activities that assess the maturity of an organization's existing cybersecurity program's policies and planning:

Identify - Ensure that a complete inventory of an organization's internal and external IT assets has been assembled and that all assets have been categorized according to their operational criticality and data sensitivity. This phase also evaluates an organization's administrative policies for effective communication channels, user awareness, and appropriate disaster recovery plans that can effectively meet an organization's risk objectives.
Protect - Evaluate an organization's policies and controls to ensure that all critical systems and data are protected with appropriate IT security best-practices and determine the maturity level of an organization's ability to respond to and recover from a ransomware attack.
Detect - Evaluate an organization's policies and controls to determine if they are sufficient enough to effectively detect a ransomware attack happening within their IT environment.
Respond - Evaluate an organization's policies, controls, incident response plans (IRP) and actual abilities to determine their effectiveness against a ransomware attack including an organization's maturity of forensic capabilities, ability to contain malware, and verify that incidents are reported completely and consistently.
Recover - Evaluate an organization's policies, controls, and disaster recovery plans including backup strategy to determine their degree of maturity with respect to recovering all systems and data after a successful ransomware attack.

Technical Ransomware Assessment

The technical component of a Ransomware Penetration Test is a fair assessment of an organization's state of ransomware readiness. The technical component determines whether an attacker can gain access to a target's systems and data.

Technical assessment activities include:

Network and System Security Audit - assesses an organization's IT environment to find vulnerabilities in your systems
Critical System Hardening - verifies the implementation of secure configurations and best practices to reduce vulnerabilities within IT networks and systems, critical endpoints, and applications
OS and Application Patching - Ensuring that automatic updates are enabled for all software and hardware whenever feasible and assessing current vulnerability management and change management processes to identify security gaps and room for improvement
Authentication Attacks - Assessing authentication mechanisms by simulating a range of known authentication attacks to verify strong authentication controls (e.g. strong password policy, MFA implementation, hardening against credential attacks)
Assumed Breached Resource Assessment - Assessing the level of access an attacker could have in the company's resources in the perspective of an unauthenticated and authenticated user.
Lateral Movement Attacks - Assessing the exposure of ports and services that can be utilized to accomplish the goals of a ransomware actor.
Credential Access - Assessing the exposure of credentials that can be stolen and used to further the attacks in order to accomplish the goals of a ransomware actor.
Effectiveness of Endpoint Solutions - Assessing the effectiveness of the endpoint solution in place by testing its signature, behaviour, detective and preventive-based capabilities.
Ransomware Scenario Assessment - Illustrating the possible ransomware scenarios based upon the findings combined.

A Ransomware Penetration Test delivers a report with the findings of the Penetration Test and additional sections for the findings of the technical and non-technical ransomware specific preparedness assessments.

Click here to download a free copy of our Ransomware Prevention & Response Checklist

What Is RaaS - Ransomware As A Service?

Ransomware as a service (RaaS) is a model of criminal enterprise that involves the cooperation of two parties; ransomware operators who develop and deploy ransomware and their affiliates who select targets, gain initial access to their networks, then provide that initial access to the ransomware operator to deploy ransomware.

RaaS increases the attackers' overall chances of success by dividing a ransomware attack into two distinct phases; the first stage of gaining initial access to a target network, and the second stage of actually encrypting an organization's data and demanding ransom. This allows the involved parties to optimize their skills, tools, and operations for their particular stage of the attack process.

The two most common RaaS models are:

Profit sharing model - The ransomware operator deploys the ransomware attack, collects the ransom, and shares a percentage with the affiliate that provided initial access to the victim's network.
Subscription / Flat fee model - Affiliates pay a subscription or one-time fee for a customized ransomware payload, known as a ransomware kit. The affiliate then launches the attack against the chosen target and collects the ransom themselves.

Double And Triple Extortion Ransomware

Ransomware's primary method of coercing payment from a victim is to encrypt their critical data and demand payment for its decryption. However, this extortion tactic has been expanded to leverage new forms of extortion. These additional strategies are known as double and triple ransomware exportation tactics.

Double extortion extends the ransom tactics to include the threat of publicly exposing a company's stolen data - essentially threatening to reveal secrets that could erode competitive advantage or customer sentiment. Triple extortion subjects an organization to sustained denial-of-service (DOS) attacks that render its websites or other online services unavailable.

Protecting Your Data From Ransomware - What You Can Do

Protecting an organization from ransomware depends on defensive IT security programs that not only implement industry standard best practices to secure the Confidentiality, Integrity of Availability (CIA Triad) of all systems and data within an IT environment, but even go further to leverage all defensive measures possible. Here are some key activities that can help protect your organization from ransomware.

User Awareness Training

Phishing attacks are responsible for over 90% of initial access breaches. Awareness training can help employees understand the tactics and techniques used to gain a foothold on an organization's network that can lead directly to a successful ransomware attack. Awareness training includes information and exercises to help staff members identify social engineering tactics such as malspam, phishing, and spear-phishing that seek to entice or bait them into executing malware on behalf of the attacker. Awareness training is also an appropriate time to clarify policies and review standard operating procedures for handling suspicious communication or security incidents.

Network Security Best Practices

By applying IT industry standards and best-practices across an organization's entire network environment the probability of suffering a successful ransomware attack are greatly reduced. NIST CyberSecurity Framework (CSF), NIST Risk Management Framework (RMF), and additional topic specific NIST Special Publication 800 Subseries (SP 800) are a solid foundation for building reliable and resilient IT infrastructure. NIST also provides NISTIR 8374 - a ransomware specific guide for enterprises that already have mature cybersecurity programs in place. For smaller businesses, NIST's Small-Business CyberSecurity Corner provides an approachable starting point for beginning cybersecurity operations and a set of critical ransomware specific cybersecurity information.

A Bulletproof Backup Strategy

The most foundational backup strategy in the IT industry is called the “3-2-1” backup strategy. It states that a minimum of three copies of all critical files should exist at all times. These three copies include the original file, a local backup, and an offsite backup. This allows fast local recovery under normal circumstances and greater assurances by having offsite backups that can be used to recover under emergency situations such as ransomware. It's also important to protect access to backups with critical security controls including strong authentication, the principle of least privilege, and multi-factor authentication.

Continuous Vulnerability Management And Penetration Testing

Vulnerability management is a critical cybersecurity activity that seeks to continuously assess and track vulnerabilities across the entire network environment. The key goal is to identify, remediate, and minimize the window of opportunity for attackers by proactively and continuously hunting vulnerabilities and finding them before attackers can take advantage of them. Continuous vulnerability management can be supported by a high degree of automation to reduce the burden on internal IT team members. Penetration testing adds another layer of protection by simulating real world cyberattacks against an organization, but should be conducted by a trusted external third-party to ensure they represent a reliable and thorough assessment.

Cyber Insurance And Penetration Testing

Cyber insurance is a strategy for transferring cyber-risk outside of an organization. In the event of a successful attack, cyber insurance can help to cover the costs of system recovery, business interruption, and legal expenses. As a response to the increase in cyber-crime, cyber insurance is also sometimes a mandatory prerequisite to forming new business partnerships.

Cyber insurance policies require evidence that IT security best practices are in place such as firewalls, intrusion detection systems, backups, and encryption, but coverage also often depends on documenting evidence of continuous cybersecurity activities such as vulnerability management and penetration testing. Penetration tests must be performed by an independent external service provider - not related to an organization's existing services provider - to ensure that audits are truly third party assessments and not impacted by a conflict of interest with a company's existing operations.

However, even cyber insurance does not eliminate all risk and responsibility from an organization and recently, cyber-insurers have put more stringent limits on the coverage they offer, with rising premiums, higher deductibles, and reduced coverage. Since avoiding all responsibility is infeasible, companies should take every precaution to reduce their attack surface by proactively detecting and remediating security gaps before an attacker can take advantage.

Ransomware Payments - To Pay Or Not To Pay?

Ransomware payment transactions reached an average of $100 USD million per month in 2021 and it's reasonable to assume that some of that total will be reinvested into new and more sophisticated cyber-attack strategies. It's no wonder that the FBI and US Department of Homeland Security recommends that victims not pay ransom. However, if an organization has not implemented sufficient Data-Loss Prevention (DLP) or Disaster Recovery Plans (DRP), paying ransom may be the only viable option to recover encrypted files.

Furthermore, when attackers employ double or triple extortion tactics companies are at increased risk - even when they are able to recover encrypted data on their own. Additional risks include potential reputational damage or fines resulting from the release of customer data, loss of competitive advantage as a result of sensitive information being published, or lost revenues caused by downtime in the case of denial-of-service (DOS) attacks. These factors can all make paying ransom an attractive option.

Other factors that impact whether an organization is likely to pay ransom include whether it has sufficient cybersecurity insurance to cover the costs of paying a third party to recover its systems and data and outright sanctions on making ransom payments to entities covered by a national security policy embargo.

Read more on ‘Ransomware Payment: To Pay or Not To Pay’

How is Ransomware Penetration Testing Different From Other PacketLabs Service Offerings?

PacketLabs' Ransomware Penetration Testing service includes a full penetration test and specialized services that determine an organization's risk with respect to ransomware attacks. The extended services include a non-technical ransomware assessment and a technical ransomware assessment. The non-technical assessment component is a unique offering that is only available with the Ransomware Penetration Testing service.

A Ransomware Penetration Testing audit determines:

An organization's likelihood of experiencing a ransomware attack
Where ransomware attacks are most likely to occur within an organization's IT environment
The overall impact a ransomware attack could have on an organization
An organization's level of IT security maturity with respect to its risk objectives
An organization's ability to defend against a simulated ransomware attack

How Much Does It Cost?

The cost of a pentest can vary greatly depending on the scope and complexity of the engagement, but the typical range of a quality professional is between $30K - $60K.

The most significant factors that impact the cost of an Ransomware Penetration Test include the duration of testing engagement, the size and complexity of the target organization's infrastructure, and the amount of manual testing performed. All these factors are part of the formal discussion between the target organization and the penetration testing entity before testing begins.

Organizations that are debating the value of Ransomware Penetration Testing could initially contract a narrowly scoped test to assess the return value that penetration testing provides, or include a Ransomware assessment as part of an Object-based Penetration Test.

The Return on Security Investment (ROSI) metric is the appropriate method of calculating the ROI of penetration testing. ROSI is an alternative ROI equation, designed to accommodate the uniqueness of security-related investments. It compares the total avoided costs of potential security breaches to the cost incurred by penetration testing. A generalized version of the ROSI equation is:

ROSI = (Security expense avoided – prevention cost) / prevention cost

For example, if your company can expect to avoid even a minor security breach that would cost $100,000 over the next year, and the price of a penetration testing engagement were estimated to be $10,000, then the ROSI calculation would be 9 times the cost:

ROSI = ($100,000 - $10,000) / $10,000 = 9

What Is Included In A Report?

A Ransomware Penetration Test report is the deliverable information provided by the pentest consultant after testing has been completed. A Ransomware Penetration Testing report includes a full report that includes the findings of any of the included Object-based, Infrastructure, or Application Penetration testing elements and as well as additional sections that relay the findings of the technical and non-technical ransomware preparedness assessments.

The report can be used to improve cyber-defences by mitigating any identified vulnerabilities, and to create more security awareness within an organization by understanding the context in which the vulnerabilities occurred.

Reports are structured such that identified vulnerabilities are prioritized according to severity and include evidence of successful exploits such as exfiltrated data, cracked passwords, or screenshots of systems that were accessed without authorization.

After receiving a pentest report, an organization is offered the opportunity to ask questions to clarify the results. Upon reading the report, an organization may want to immediately request further testing, or begin the remediation process. It is advised to redo penetration tests after remediation is complete to verify that security gaps have been successfully closed.

Who Will Complete This Test?

The pentester role (also known as ethical hacker) is a distinct IT security role that requires specialized training and certification. Ethical hackers may be categorized as generalists who are broadly trained in penetration testing tactics, or specialists with deeper skills in some particular aspect of the pentesting process. Specialists may also be distinguished by the specific exploitation frameworks, protocols, operating systems, or exploitation types they are experts in.

The OSCP is a globally recognized and industry leading ethical hacking certification offered by Offensive Security. Offensive Security offers several certifications but the OSCP is the most broad and well-known. Packetlabs is a passionate team of highly trained ethical hackers with the industry’s most advanced certifications. All PacketLabs pentesters are required to have a minimum of OSCP. While OSCP is the PacketLabs minimum requirement, many team members go above and beyond to gain additional certified expertise including:

Offensive Security Experienced Penetration Tester (OSEP)
Offensive Security Wireless Attacks (OSWP)
Offensive Security Exploit Developer (OSED)
Offensive Security Web Expert (OSWE)
Certified Information Systems Security Professional (CISSP)
Certified Information Systems Auditor (CISA)
GIAC Web Application Penetration Tester (GWAPT)
GIAC Mobile Device Security Analyst (GMOB)
GIAC Systems and Network Auditor (GSNA)
GIAC Exploit Researcher and Advanced Penetration Tester (GXPN)
GIAC Certified Incident Handler (GCIH)
Global Industrial Cyber Security Professional (GICSP)
GIAC Cloud Penetration Tester (GCPN)
Burp Suite Certified Practitioner

This allows our team of OSCP penetration testing professionals to demonstrate industry leading comprehensive hands-on mastery of penetration testing.

Your Guide to Ransomware Penetration Testing

Table of Contents