Using Penetration Testing to Stop a New Stealth Breed of Ransomware Attacks
Ransomware is arguably one of the most insidious and damaging forms of malware. Cybercriminals are continually exploiting newer methods to circumvent strategies by enterprises to thwart ransomware attacks. A recent post by Microsoft on ransomware talks about a new breed of malware that uses stealth to infect networks, it states:
“These attacks are known to take advantage of network configuration weaknesses and vulnerable services to deploy devastating ransomware payloads.”
The devastating use of system vulnerabilities as an exploit method was seen in the WannaCry attack, which took advantage of a vulnerability in the Windows 7 operating system. IT system vulnerabilities leave the door open for ransomware attacks. However, these same vulnerabilities can be found before it is too late using a technique called “Penetration Testing” or Pen Testing.
Ransomware by numbers
To say that ransomware is rapidly becoming the cybercriminal choice of attack is possibly an understatement. Recent research into the level and breadth of ransomware attacks shows how successful this attack method is. This success means it is likely that ransomware will remain a problem in years to come.
Some examples of statistics that evidence the severe nature of ransomware attacks:
- New ransomware families. Ransomware is classified into ‘families’ of malware that act in similar ways. Numbers are doubling every year. In Q2 of 2019, Kaspersky identified 16,017 new ransomware variants.
- Over half of all businesses affected: According to the State of Email Security 2020 report from Mimecast, 51% of the global IT leaders said ransomware attacks impacted their organization in the past 12-months.
- Downtime is an issue: Mimecast also found that the average number of days of downtime for ransomware victims is 3-days.
- Global costs of ransomware are massive
- Continuous ransomware attacks occurring: Cybersecurity Ventures also predicts that a ransomware attack would impact businesses every 11 seconds by 2021.
Ransomware in 2020 and beyond
Unfortunately, the Covid-19 pandemic may be creating new waves of attacks. SonicWall’s “2020 Cyberthreat Report” has identified hacker gangs using ‘big-game hunting’ tactics to target organizations that they know will pay the ransom. This tactic is more focused compared to the mass attack techniques used in some earlier ransomware attacks. To carry out these highly targeted ransomware campaigns, cybercriminal gangs look for exploitable system vulnerabilities. The result is a malware-infected network. Often this malware is controlled using a Command and Control (C&C) server outside of the corporate network. The cybercriminals execute the malware in stealth mode when they believe the time is right. Sometimes, the cybercriminals may also execute secondary payloads that can steal passwords and other sensitive data.
Ransomware attacks are becoming easier as ransomware kits are readily accessible using the dark web. These kits are created by developers and sold as ‘Ransomware-as-a-Service’ (RaaS). This means that anyone wanting to extort money from a business can buy the main ingredients needed to carry out a ransomware attack.
Modern ransomware appears to be focusing on IT system vulnerabilities in networks, much more than the “spray and pray” technique that involved sending out mass phishing emails. Focus is on organizations that must keep their business up and running. If a ransomware attack happens, such an organization is much more likely to pay the ransom to (hopefully) receive an encryption key to recover critical documents and files, allowing them to get back to work.
Typical Vulnerabilities that Can Lead to a Ransomware Attack
The fundamental vulnerabilities that lead to ransomware attacks include:
- Phishing: Emails containing a malicious link or infected attachment are still part of the phisher’s toolkit. However, there is a move towards more direct exploitation of system vulnerabilities.
- Drive-by download: Ransomware (or other malware) can be hidden in infected images and videos on websites. Users who inadvertently arrive at an infected site can become infected if they are using software with exploitable vulnerabilities.
- Remote Desktop Protocol (RDP): This is a significant cause of ransomware infections. Research from F-Secure attributes 31% of ransomware infections to RDP vulnerabilities.
- USB or flash drives and other removable media: Removable media can be used to infect machines.
- Operating system vulnerabilities: The WannaCry ransomware infection used a system vulnerability in the Windows operating system. Operating system flaws offer open doors to ransomware and other malware to allow a malicious program to execute and install a payload.
No matter what vector is used to infect a computer, the ultimate requirement is to exploit some form of vulnerability.
How Penetration Testing prevents ransomware
To prevent ransomware infection by vulnerability exploitation, an organization needs to understand where those vulnerabilities are. Penetration testing is a holistic technique used to locate those system vulnerabilities. In essence, a Pentester(s) acts as a hacker using techniques used by cybercriminals to search for vulnerabilities to exploit.
Penetration testing involves multiple actions.
- Plan: Pentesters create a plan of action to work out what they need to look for and what techniques will be used in the Pen test.
- Scan: Pentesters typically use specialist scanning tools to help with the location of vulnerabilities.
- Exploit: This is a critical stage that looks at how vulnerabilities could be exploited. Pen testers often refer to key sources of information security attack data from the likes of OWASP and MITRE ATT&CK. Pentest will attempt known and novel methods of exploits, including social engineering techniques. This stage will identify areas of weakness in terms of Advanced Persistent Threats (APTs).
- Review and analyze: A report is generated by the Pentesters that shows where vulnerabilities are and suggests mitigation strategies.
- Fix: An organization is encouraged to use the Pentest results to harden their systems against all forms of attack, including ransomware.
Cyber Centaurs Penetration Testing services cover all of the above. Our highly customizable Pen test methodology works across all networks, services, and potential attack vectors.
Cybercriminals are masters at manipulation. Even if an organization refuses to pay the ransom, the fallout from a ransomware infection is costly in lost business, productivity, and reputation. Ransomware attacks against SMBs are on the rise. The average cost of downtime caused by a ransomware attack on an SMB is $141,000, a 200% rise compared to 2018. Ransomware attacks are being highly focused and targeted. Cybercriminals look for the weakest link in a system to infect an organization with ransomware. Using the services of an expert Penetration Testing provider allows an organization to close the gaps that otherwise cybercriminals would exploit.