The Role of Penetration Testing in Preventing Ransomware Attacks

Consequences of Ransomware Attacks

Ransomware can lead to the permanent loss of data if victims do not pay the ransom or if the decryption key provided by the attackers is ineffective, meanwhile the attackers extort money from victims, often demanding payment in cryptocurrency to make tracking difficult. Following a ransomware attack, organisations may suffer reputational damage due to public knowledge of the attack and data compromise.

Prevention and Mitigation

There are a number of systems, policies and processes you can implement to both help prevent your organisation being subject to a successful ransomware attack, and to mitigate the damage done if a ransomware attack did occur.  For example, by regularly backing up data and ensuring backups are stored on devices not connected to the corporate IT network, you will be able to mitigate the impact of data loss in case of a ransomware attack.  You should also ensure software and operating systems are updated with the latest security patches to prevent exploitation of known vulnerabilities, and use up-to-date antivirus and anti-malware software, as well as network security measures such as firewalls and intrusion detection and prevention systems, to identify and block malicious activities.

To reduce the risk of ransomware infections and strengthen your human-based security defences, it’s important to educate employees about phishing and safe internet practices.  You should also enforce a strong password policy and multi-factor authentication (MFA) to access corporate resources, as this is incredibly valuable for safeguarding against ransomware attacks.  Meanwhile, performing regular security assessments will allow you to identify vulnerabilities and scope for the improvement of your organisation’s security posture, including its resilience against attempted ransomware attacks.

The Role of Penetration Testing in Preventing Ransomware Attacks

Penetration testing can also play a vital role in preventing ransomware attacks by identifying and addressing security vulnerabilities in an organisation's systems and networks.  While penetration testing itself does not directly prevent attacks, it is a proactive measure that will help strengthen your organisation’s security posture, making it more resilient against potential cyber threats.

Penetration testing simulates real-world attack scenarios, allowing security experts to identify weaknesses and vulnerabilities in your organisation's infrastructure, applications, and network devices.  By uncovering these vulnerabilities, you will be able to promptly fix them, reducing the potential attack surface for malware and ransomware to exploit.

Pen testing can also evaluate the effectiveness of security controls, such as firewalls, intrusion detection systems (IDS), antivirus software, and access controls.   Testing the robustness of these measures will allow you to identify and rectify any weaknesses that could be exploited by ransomware.

As we mentioned above, keeping software and operating systems up to date with the latest security patches is vital for preventing ransomware attacks, as unpatched vulnerabilities are common entry points for malware.  Pen testing can help verify that patch management processes are effective and that security patches have been installed, mitigating the risk of software and systems remaining unpatched and therefore vulnerable.

Penetration testing can include social engineering scenarios, such as phishing attacks, to assess how well employees adhere to security policies and identify areas where security awareness training is needed. Educating users about the risks of malware and ransomware is crucial in preventing successful attacks.

Many ransomware attacks exploit vulnerabilities in web applications.  Penetration testing of web applications helps identify and fix common security flaws like SQL injection, cross-site scripting (XSS), and remote code execution.  Ransomware attacks can also exploit the use of weak or compromised credentials to gain remote access to company resources (e.g., Remote Desktop Services, Citrix, etc.).  Penetration testing helps you identify use of weak or compromised credentials or weak authentication mechanisms (e.g., lack of MFA, or other brute force protection mechanisms) that may allow threat actors to gain unauthorised access to corporate services and provide initial access for ransomware attacks.

Penetration testing can also be useful for evaluating your organisation’s incident response capabilities in the event of a ransomware attack.  This helps ensure that you can detect, contain, and respond effectively to such threats.  The findings of a pen test can inform the improvement of security policies and procedures, including refining access controls, password policies, and other security measures to prevent unauthorised access and data exfiltration.

If necessary, penetration testing can be extended to assess the security of third-party vendors and partners which have access to your organisation's systems or data.  This helps ensure that potential weaknesses in these relationships are identified and addressed.

How Ransomware Operators Gain Access

URM has performed various types of penetration tests that allowed clients to identify and reduce security vulnerabilities which are typically exploited by ransomware operators.  A few examples of findings identified by URM consultants that are often used by ransomware operators to gain initial access or to move laterally within a network include:

• The use of credentials found in public data leaks to access company resources, often identified during external infrastructure penetration tests, which allows ransomware operators to gain initial access to systems
• Vulnerabilities in publicly exposed services such as web applications or remote access services, identified during web application penetration tests or external infrastructure penetration tests, which is another common way ransomware operators gain access to internal systems
• Use of shared administrative credentials between servers or workstations, typically identified during internal infrastructure penetration tests, which allows ransomware operators to easily compromise multiple hosts once the first host has been compromised
• Insufficient network segmentation, typically identified during segmentation tests or internal infrastructure penetration tests, which does not limit the impact of ransomware attacks
• Lack or weaknesses in the authentication mechanisms (e.g., unauthenticated access to administrative services, lack of MFA, etc.), typically identified during internal infrastructure penetration tests, which allows ransomware operators to gain access to further services within the network
• Unrestricted outbound internet access, typically identified during servers’ security review, which makes it easier for ransomware operators to exfiltrate data
• Lack of endpoint protection, typically identified during internal infrastructure penetration tests or workstations and servers build reviews, which allow ransomware operators to easily run malicious code on the systems
• Use of unsupported and/or out-of-date software, typically identified during external or internal vulnerability assessments and penetration tests, which allows ransomware operators to exploit known vulnerabilities to gain initial access to an organisation’s systems and to move from one vulnerable system to another.

‍

Closing Thoughts

Penetration testing is an essential component of a comprehensive cyber security strategy to prevent ransomware attacks.  It provides organisations with insights into their security weaknesses, enabling them to take proactive measures to fortify their defences.  However, it is crucial to remember that penetration testing is just one part of a layered defence strategy, and you should implement a range of security measures and best practices to safeguard against evolving cyber threats.