Red Team services can perform ransomware simulations to test whether an organization is prepared to withstand a ransomware attack
The exploitation of a zero-day vulnerability, supply chain attack and use of ransomware… These three dangerous elements came together in an attack launched by a Russian cybercriminal group against GoAnywhere, a secure file transfer software that Fortra supplies to thousands of organizations. What was the result? More than 100 companies and institutions suffered data theft. Financial sector entities, healthcare organizations, pension funds, educational platforms and even the city of Toronto were among the victims of this perfect storm.
These security incidents alert us to the risks associated with the exploitation of unknown vulnerabilities, the threats to the IT supply chain and the dangers of ransomware attacks, which are becoming increasingly frequent and sophisticated. So companies and public administrations with a higher level of cybersecurity maturity and cyber exposure should consider using ransomware simulations to optimize their resilience to attacks and improve their detection, response and recovery capabilities.
Some companies market simulators to automate ransomware simulations. However, these solutions have minimal scope and reduced effectiveness in strengthening defensive layers and improving an organization’s resilience to ransomware incidents.
On the other hand, Red Team’s services can be a value-added option to perform ransomware simulations to analyze the behaviour of defensive layers and prepare them to identify and contain actual attacks and safeguard the company’s operations.
Below, we will explore some of the keys to ransomware simulations and why these Red Team scenarios can make a difference in the fight against cybercriminals.
1. Ransomware attacks, a hazardous scenario
Conti, Lockbit, Hive, Revil, Blackcat… This ransomware has been at the centre of numerous security incidents over the past year, resulting in the loss of vast amounts of data and severe economic repercussions for companies. But what exactly is ransomware?
Criminals infect a corporate system with malware that obtains and hijacks the organization’s confidential data (strategic information, customers’ or citizens’ data, financial data, etc.). The data is encrypted so that if companies or institutions wish to regain access to their information, they must pay a ransom. However, experience shows that paying the ransom does not guarantee the return of the data and contributes to strengthening criminal groups.
Given its current relevance, the European Union Agency for Cybersecurity (ENISA) published in July 2022 a report on the ransomware attack landscape and its impact on companies globally, with a particular focus on the EU.
ENISA researchers studied a sample of 623 ransomware incidents. That is successful attacks in which malicious actors accomplish their goals and steal information from the organizations. The study notes that Spain was the fifth country in the world in 2022 with the most ransomware incidents, ranking only behind the United States, Germany, France and Italy.
The report also emphasizes the sectors most affected by this type of incident and to which it could be of great added value to implement ransomware simulations: heavy industry, information services, public administrations, and the health and food sectors.
2. What are ransomware simulations?
The concept of ransomware simulations leaves little to the imagination. They are Red Team scenarios in which the professionals providing this offensive security service simulate realistic behaviour as malicious actors that infiltrate an organization’s systems and infect them with ransomware.
When it comes to getting down to work, the Red Team must first design a scenario according to the objectives of the company that hires the Red Team service. This scenario includes three main elements:
- Malicious actor. That is to say, whether the attacker should behave like a compromised collaborator, disgruntled employee, remote attacker, competitor…
- Intrusion vector. How the Red Team will enter the corporate systems to achieve its objectives: exploitation of a vulnerability, social engineering, leaked information…
- Objectives: What should the Red Team achieve? Compromise critical assets, obtain sensitive information, sabotage enterprise software and hardware or deploy ransomware.
The different options for each parameter can be combined to design multiple Red Team scenarios that contribute to securing the company against threats.
One of the most popular Red Team scenarios today is precisely the simulation of ransomware. This service helps companies to improve their ability to cope with an actual potential attack using this type of malware to hijack high-value data.
2.1. Which companies should perform ransomware simulations?
Red Team’s services are not intended for all companies. Due to their characteristics and level of complexity and scope, these services are designed for companies with a security strategy and advanced defensive layers. They can therefore cope with Red Team’s actions.
On the other hand, companies with a low level of cybersecurity maturity should start by engaging other cybersecurity services to help them develop defensive policies and mechanisms.
On this basis, then, Red Team’s ransomware simulation-based scenarios are ideal for companies that cannot answer three basic questions in the affirmative and without any hint of doubt:
- Are we prepared to withstand a ransomware attack?
- Are our defensive layers capable of identifying and containing ransomware attacks and recovering from a ransomware incident?
- Have we been able to experience a ransomware attack and draw lessons from this experience?
Suppose you are the CISO of a company or a senior manager and need help answering a resounding yes to these three questions. In that case, your company needs to run ransomware simulations.
3. Tarlogic Red Team Ransomware Simulations
Tarlogic’s professionals, who have extensive experience in designing and implementing Red Team services, recommend ransomware simulations if any of the answers to the above questions are negative.
The ransomware simulations by Tarlogic Security professionals are articulated around two significant phases: the activities that make up the Red Team scenario and a Gap-Analysis.
3.1. Red Team scenario
During the first phase of the ransomware simulations, the professionals design a Red Team scenario whose objective is the deployment of ransomware on the company’s systems. To this end, they carry out all the activities necessary to perform end-to-end ransomware simulations comprehensively:
- Intelligence. In the first stage of ransomware simulations, professionals continuously gather information and generate intelligence to plan the simulated attack.
- Detecting weaknesses. Second, the Red Team analyses weaknesses in the organization’s perimeter to find a vulnerability it can exploit to breach the security perimeter.
- Exploitation. As the name suggests, in this stage, the Red Team professionals exploit the weaknesses found in the previous steps to take control of corporate assets.
- Lateral movement. Once inside the organization’s systems, the Red Team carries out a lateral movement tactic to spread the ransomware throughout the company’s internal network.
- Privilege escalation. Another tactic executed during ransomware simulations is privilege escalation, which allows professionals to exert complete control over the company’s infrastructure.
- Persistence. Red Team installs backdoors to ensure persistence in the network to achieve all the objectives planned when designing the scenario.
- Fulfilment of the objectives. In the last step of the ransomware simulations, the professionals get their hands on the business data. If an actual attacker were to complete this process, they could encrypt the data, exfiltrate it or launch DDoS attacks.
3.2. Gap-Analysis
When the Red Team team in charge of the ransomware simulations finishes the exercise, an advisor analyzes the response from the organization’s defensive layers. This analysis seeks to evaluate the company’s ability to:
- Detect ransomware attacks. How effective were the detection mechanisms? How long did it take to identify the simulated attack?
- Contain these kinds of incidents: Are the defensive layers capable of containing incidents quickly and effectively to minimize their impact?
- Recover business assets and ensure business continuity. Is the organization prepared to recover the attacked assets in the shortest possible time and without losing data in the process?
By assessing detection, containment and recovery capabilities, the Gap-Analysis analysts identify improvement opportunities. This information is collected in an improvement plan delivered to the company so that it can implement the necessary measures to improve its resilience and response to ransomware attacks, avoiding or, at least, minimizing their harmful economic, legal and reputational repercussions for the business.
4. Five benefits of ransomware simulations
Red Team exercises based on ransomware simulations are based on the fact that the professionals performing them behave like real attackers. As such, the simulation is highly realistic and provides the ideal context to meet five high-value-added objectives for companies facing these threats.
- Demonstration of defensive capabilities. A company may believe it has fully optimized defensive layers, but the best way to prove it is to conduct a demonstration. Ransomware simulations allow you to demonstrate whether your security mechanisms and controls work effectively against ransomware attacks in a simulated but realistic scenario. In other words, ransomware simulations allow defensive security professionals to train before the actual competition begins.
- Identifying and confirming weaknesses and strengths. By pitting the defensive layers against an attack that simulates the real thing, weaknesses and areas for improvement can be determined, as also the muscles of the security strategy.
- Analysis and optimization of detection, containment and recovery capabilities. Detection, containment and recovery from ransomware attacks are essential to prevent damage to the company and its business assets.
- Collecting data and technical evidence to improve decision-making. Cybersecurity is a strategic area for companies in the digital age. Hence, decision-making in this area must be based on data and evidence. Red Team scenarios based on ransomware simulations provide valuable information for managing company resources.
- Training of the professionals that make up the defensive layers so that they are prepared to manage actual attacks.
5. Improving ransomware resilience
The central mission of Red Team’s scenarios based on ransomware simulations is to improve the resilience of companies to one of today’s biggest threats.
Successful ransomware attacks are made public every week, generating economic and reputational losses for companies in all economic sectors across the globe. As a result, the resilience of companies has become a central issue in the face of an increasingly complex and dangerous threat landscape.
An excellent example of this is the recent approval of a regulatory framework in the EU that is committed to strengthening the defensive layers of European companies. Especially in sectors of vital importance, such as health or energy (NIS2 directive). And more specifically, in a critical area such as the financial sector, for which a specific regulation has been approved, the DORA (Digital Operational Resilience Act). Resilience appears in the very title of the act.
Likewise, ENISA, in the recommendations of the report we unpacked earlier, also stresses the importance of optimizing the resilience of EU companies and institutions in the face of ransomware attacks.
What conclusions can we draw from this? Improving the resilience of companies to ransomware attacks must be a priority strategic decision for decision-makers within organizations.
5.1. Professional services for arming companies
How can resilience be improved? By performing Red Team scenarios based on ransomware simulations and complementing these activities with a comprehensive Gap-Analysis of the response of the defensive layers.
Tarlogic professionals are highly skilled and knowledgeable about malicious actors’ techniques, tactics and procedures. In addition, the Red Team is continuously trained to incorporate the latest strategies and technologies employed by hostile actors.
Improving resilience to ransomware attacks can make the difference between a failed attack or a minor incident and a disaster that paralyzes the company’s activity, affecting its business model and resulting in heavy financial losses.