Ransomware simulations

Every organization, no matter how large or small, is vulnerable to ransomware attacks. What can organizations do in the face of this evolving threat? One method: Perform ransomware simulations on themselves. This approach might seem counterintuitive, but it’s a solid, proactive way to fend off an attack.

From email to ransomware

Preventing ransomware attacks is paramount for protecting an organization. But how do attacks actually take hold? According to Check Point’s “Cyber Attack Trends: Mid Year Report 2021,” more than 80% of ransomware attacks stemmed from email in the first half of 2021. 

During an email-based attack, a malicious file or link is presented to employees on their workstations, and consistently, at least one employee falls for it. This mode of attack works because, after all, attackers need only one person to take the bait to initiate a successful attack.

Typically, the goal of email-based malware is to create a remote connection back to attacker-controlled servers so attackers can dynamically interact with the workstation and network. Some ransomware malware is automated to start encrypting upon execution, but that strategy isn’t as comprehensive as encrypting systems. 

Once remotely connected, advanced attackers attempt to escalate their privileges on workstations by gaining access as administrators and then moving laterally to other devices on the network. Attackers commonly abuse control failures such as excessive privilege, unnecessary file share access, and missing patches. Additionally, they typically aim to delete or render unusable any backups on the network and exfiltrate copies of any sensitive data they can get their hands on before cryptolocking (maliciously encrypting) all target systems.

These actions lead to a ransomware situation called “double extortion”: After charging for data decryption, attackers demand additional fees to not release sensitive information publicly. Check Point also reports some instances of triple extortion in which attackers target an organization’s customers or partners to demand more ransom.

Understanding the specific goals of ransomware attackers as well as their tactics once they gain access to an organization’s network is critical to knowing which controls need to be strengthened and which activities need to be monitored and prevented.

Ransomware simulations: How to ransomware yourself

The best way to learn how to deal with ransomware might just be to ransomware your own organization. Taking this seemingly counterintuitive action could range from a tabletop exercise walking through a pretend ransomware scenario to running ransomware simulation software in your network.

A tabletop exercise is an excellent approach for many IT-related processes because it forces the responsible parties to step through documented plans to demonstrate that they can logically follow all of the steps and that the relevant technologies are functioning. Often, this role-playing uncovers gaps in documented plans and responses to business-critical events, such as a ransomware attack.

On the more technology-focused side, however, simulating a ransomware attack via software can provide unique insights about the IT environment. For example, endpoint controls can be evaluated for whether ransomware activities would be detected or blocked. Similarly, network-based preventive and detective controls could be tested for encryption of remote systems. 

Lastly, in any ransomware simulation, backups can be tested to see if files and systems can be properly restored or if they, too, would fall victim to being cryptolocked. Without the proper expertise, however, running software that encrypts files on a network is risky. Enlisting the expertise of a third party can help mitigate that risk and guide the exercise to provide more value.

Until such realistic scenarios occur, it’s difficult for an information security or IT leadership team to have any assurance that ransomware can be successfully deterred, detected, or mitigated. Accurate testing can identify holes in detection capabilities, incident response plans, and backup procedures.

The benefits of ransomware simulations

Although it might not seem like it, there is an upside to ransomware. For organizations that want to harden their IT environments and improve their cybersecurity maturity, ransomware provides real data on the annual cost of leaving infrastructure unsecured. According to Sophos, the average cost of recovery from a ransomware attack at the start of 2021 was $1.85 million, an amount that doubled from just the year before. 

By running a ransomware simulation event, an organization can more accurately estimate the financial impact based on its infrastructure and footprint. Regardless of how it’s derived, this powerful data point can prove the catalyst in convincing management that spending on cybersecurity up front can result in immense savings in the long run.

Using ransomware to your advantage

Understanding the scourge of ransomware provides a multitude of benefits. Figuring out how it can enter a network and infect devices can illuminate where stronger controls need to be implemented. And as counterintuitive as it might seem, emulating a ransomware infection on your network could strengthen incident response and identify gaps. In short, ransomware simulations work.

Finally, the real costs associated with ransomware can drive cybersecurity budgets. Armed with a better understanding of how ransomware strikes and what its inevitable costs are, a prepared IT stakeholder or cybersecurity professional can use ransomware to push the envelope on cybersecurity projects and prevent a digital hostage situation.