Ransomware as an entry point for a cyber-attack
Ransomware has been a burning issue in cybersecurity for several years. Usually initiated by a sophisticated social engineering attack, it is difficult to detect and block. The objective of the social engineering attack is to gain access to the internal network. Once inside, the attackers might dwell in your network for months before initiating the virus to encrypt your files. If you haven’t detected the intruder, your system is seriously endangered, and your assets are at risk.
Once the malware is initiated, the encryption process begins, data gets locked, and systems start shutting down. At this point, the only option is to turn off power supply. Once the connection with the virus is interrupted, the restoration process can begin. Depending on the damage done, it is either restoration from backup or paying the ransom; otherwise, you will probably lose the encrypted data.
The only way to discover whether your organization is ransomware-ready is to test your system under controlled conditions.
The goal of the test is to block ransomware attacks
The service aims to test whether file encryption is possible in your network using tactics and techniques (TTPs) used by the best-known ransomware groups.
The figure by Kaspersky below shows the ransomware kill chain and the techniques used by current malicious groups, from the initial infection to the final encryption and exfiltration of files.
The test includes the following steps:
- Planning and setting up the environment;
- Threat modelling specific for the tested organization;
- Internal penetration testing with lateral movement, privilege escalation, and data exfiltration;
- Running a ransomware simulation;
- Assessment of resilience;
- Keeping track of documentation and final reporting.
Test methodology and results
Ransomware Readiness simulation can be done with a black-box or grey-box approach (privileged or regular user). At each step of the test, we use dedicated tools that enable efficient and thorough testing.
The expected results of the test include:
- Disclosure of possible vulnerabilities within the existing security measures and protections and recommendations for their elimination.
- The assessment of efficiency and reliability of backup and data recovery procedures and recommendations for improvements if necessary.
- Information on the level of readiness for detecting and responding to ransomware and recommendations for improving incident response procedures.
- Assessment of readiness for potential ransomware attacks in the future and recommendations for improvements of security policy and protective measures regarding this type of threat.
The outcome of every test is a concise executive summary with risk analysis and a comprehensive technical report with a detailed explanation of all steps and tests taken during the procedure.