Ransomware attacks are one of the most prevalent and destructive forms of cyber attack faced by both individuals and organisations. Ransomware is a specific type of malware that encrypts the victim's data and demands a ransom payment (usually in cryptocurrency) in exchange for the decryption key.
Ransomware attacks typically start with the compromise of a public facing web application or remote access solution (e.g., VPN, RDP), the use of previously compromised credentials or with malicious phishing emails. It can then propagate and spread to other hosts in various ways, including:
- Exploiting other known vulnerabilities in neighbouring systems
- Recursively stealing credentials from the compromised systems and re-using them on other systems in the network
- Identifying and encrypting files on network shares, mapped drives and other resources accessible
Once inside a system, ransomware encrypts files, making them inaccessible to the victim. The attackers then display a ransom note, instructing the victim on how to pay the ransom to receive the decryption key.
Consequences of Ransomware Attacks
Ransomware can lead to the permanent loss of data if victims do not pay the ransom or if the decryption key provided by the attackers is ineffective, meanwhile the attackers extort money from victims, often demanding payment in cryptocurrency to make tracking difficult. Following a ransomware attack, organisations may suffer reputational damage due to public knowledge of the attack and data compromise.
Prevention and Mitigation
There are a number of systems, policies and processes you can implement to both help prevent your organisation being subject to a successful ransomware attack, and to mitigate the damage done if a ransomware attack did occur. For example, by regularly backing up data and ensuring backups are stored on devices not connected to the corporate IT network, you will be able to mitigate the impact of data loss in case of a ransomware attack. You should also ensure software and operating systems are updated with the latest security patches to prevent exploitation of known vulnerabilities, and use up-to-date antivirus and anti-malware software, as well as network security measures such as firewalls and intrusion detection and prevention systems, to identify and block malicious activities.
To reduce the risk of ransomware infections and strengthen your human-based security defences, it’s important to educate employees about phishing and safe internet practices. You should also enforce a strong password policy and multi-factor authentication (MFA) to access corporate resources, as this is incredibly valuable for safeguarding against ransomware attacks. Meanwhile, performing regular security assessments will allow you to identify vulnerabilities and scope for the improvement of your organisation’s security posture, including its resilience against attempted ransomware attacks.
The Role of Penetration Testing in Preventing Ransomware Attacks
Penetration testing can also play a vital role in preventing ransomware attacks by identifying and addressing security vulnerabilities in an organisation's systems and networks. While penetration testing itself does not directly prevent attacks, it is a proactive measure that will help strengthen your organisation’s security posture, making it more resilient against potential cyber threats.
Penetration testing simulates real-world attack scenarios, allowing security experts to identify weaknesses and vulnerabilities in your organisation's infrastructure, applications, and network devices. By uncovering these vulnerabilities, you will be able to promptly fix them, reducing the potential attack surface for malware and ransomware to exploit.
Pen testing can also evaluate the effectiveness of security controls, such as firewalls, intrusion detection systems (IDS), antivirus software, and access controls. Testing the robustness of these measures will allow you to identify and rectify any weaknesses that could be exploited by ransomware.
As we mentioned above, keeping software and operating systems up to date with the latest security patches is vital for preventing ransomware attacks, as unpatched vulnerabilities are common entry points for malware. Pen testing can help verify that patch management processes are effective and that security patches have been installed, mitigating the risk of software and systems remaining unpatched and therefore vulnerable.
Penetration testing can include social engineering scenarios, such as phishing attacks, to assess how well employees adhere to security policies and identify areas where security awareness training is needed. Educating users about the risks of malware and ransomware is crucial in preventing successful attacks.
Many ransomware attacks exploit vulnerabilities in web applications. Penetration testing of web applications helps identify and fix common security flaws like SQL injection, cross-site scripting (XSS), and remote code execution. Ransomware attacks can also exploit the use of weak or compromised credentials to gain remote access to company resources (e.g., Remote Desktop Services, Citrix, etc.). Penetration testing helps you identify use of weak or compromised credentials or weak authentication mechanisms (e.g., lack of MFA, or other brute force protection mechanisms) that may allow threat actors to gain unauthorised access to corporate services and provide initial access for ransomware attacks.
Penetration testing can also be useful for evaluating your organisation’s incident response capabilities in the event of a ransomware attack. This helps ensure that you can detect, contain, and respond effectively to such threats. The findings of a pen test can inform the improvement of security policies and procedures, including refining access controls, password policies, and other security measures to prevent unauthorised access and data exfiltration.
If necessary, penetration testing can be extended to assess the security of third-party vendors and partners which have access to your organisation's systems or data. This helps ensure that potential weaknesses in these relationships are identified and addressed.
How Ransomware Operators Gain Access
URM has performed various types of penetration tests that allowed clients to identify and reduce security vulnerabilities which are typically exploited by ransomware operators. A few examples of findings identified by URM consultants that are often used by ransomware operators to gain initial access or to move laterally within a network include:
- The use of credentials found in public data leaks to access company resources, often identified during external infrastructure penetration tests, which allows ransomware operators to gain initial access to systems
- Vulnerabilities in publicly exposed services such as web applications or remote access services, identified during web application penetration tests or external infrastructure penetration tests, which is another common way ransomware operators gain access to internal systems
- Use of shared administrative credentials between servers or workstations, typically identified during internal infrastructure penetration tests, which allows ransomware operators to easily compromise multiple hosts once the first host has been compromised
- Insufficient network segmentation, typically identified during segmentation tests or internal infrastructure penetration tests, which does not limit the impact of ransomware attacks
- Lack or weaknesses in the authentication mechanisms (e.g., unauthenticated access to administrative services, lack of MFA, etc.), typically identified during internal infrastructure penetration tests, which allows ransomware operators to gain access to further services within the network
- Unrestricted outbound internet access, typically identified during servers’ security review, which makes it easier for ransomware operators to exfiltrate data
- Lack of endpoint protection, typically identified during internal infrastructure penetration tests or workstations and servers build reviews, which allow ransomware operators to easily run malicious code on the systems
- Use of unsupported and/or out-of-date software, typically identified during external or internal vulnerability assessments and penetration tests, which allows ransomware operators to exploit known vulnerabilities to gain initial access to an organisation’s systems and to move from one vulnerable system to another.
Closing Thoughts
Penetration testing is an essential component of a comprehensive cyber security strategy to prevent ransomware attacks. It provides organisations with insights into their security weaknesses, enabling them to take proactive measures to fortify their defences. However, it is crucial to remember that penetration testing is just one part of a layered defence strategy, and you should implement a range of security measures and best practices to safeguard against evolving cyber threats.
How URM can Help?
As a CREST and CREST OVS-accredited organisation, URM can offer your organisation a range of penetration testing services to help you protect against ransomware and other forms of cyber attack, with the assurance that the testing you receive from us is both effective and trustworthy. We can provide pen testing services against all assets associated with your organisation, service or location and, once we have identified the vulnerabilities within your IT systems and the risks to your organisation, formulate a prioritised remediation strategy to improve your organisation’s security posture and protect it against attack.
For example, URM can offer infrastructure and network penetration testing services to identify vulnerabilities in your organisation’s environment. These can be both internal and external, with our unauthenticated external penetration testing, allowing you to determine which services and information are publicly accessible and can be exploited by a malicious actor. Meanwhile, internal pen tests can assess the risk and impact to your organisation if an Individual from within your internal network were to be compromised. We can also conduct web and mobile application penetration testing, cloud pen testing, and business-led pen testing, depending on your organisation’s concerns and unique compliance and security needs.
At URM, we understand the ultimate objective of any CREST penetration testing is to enhance security and mitigate risks affecting your organisation’s assets. As such, we will provide a retest of any critical or high vulnerabilities we identify during an assessment within the following 30 days, helping you to ensure the most significant risks to your environment are mitigated quickly.
URM is pleased to provide a FREE 30 minute consultation on penetration testing for any UK-based organisation.
If you are unsure, URM can perform CREST-accredited internal and external penetration testing against all IP addresses associated with your organisation, location, or service.
Designed to assess the architecture, design and configuration of web applications, our web application pen tests use industry standard methodologies to identify vulnerabilities.
URM’s blog outlines the key steps you can take during and after a penetration test to improve your organisation’s security posture.
URM’s blog discusses how to prevent and mitigate the damage done by ransomware attacks, and how penetration testing can help your organisation avoid them.
The consequences of unauthorised access are varied. Apart from financial losses, there is a loss of customer confidence. Can penetration testing prevent this?