Penetration Testing with Metasploit: How it Can Help Ransomware Prevention

Ransomware attacks increasingly depend on a combination of attack vectors. High profile attacks may involve social engineering techniques like phishing, along with more traditional hacks like brute force attacks. Many attacks also use software vulnerabilities to gain access to your system. These vulnerabilities are generally flaws in software that allows attackers to inject code into your system and make things work in ways they aren’t supposed to. 

Penetration testing is basically a way to find weaknesses in your system so that you can fix them before attackers find them. Penetration testing alone is not enough, of course. It’s a shame to neglect it, however, because it can yield a significant amount of protection for a fairly small investment. 

The Importance of Penetration Testing for Ransomware Prevention

Penetration testing (sometimes called pentesting for short) is a method of searching for vulnerabilities in your system. You can think of pentesting like a simulated cyber attack. It’s a way of trying everything that an attacker is likely to try, and see what will work. 

Professional football teams do something similar. When they have a game coming up, they will watch videos of the opposing team and analyze their plays. They may even try to simulate these plays in training before the game. This leaves them well prepared to take on the other team on game day. 

Penetration testing is preparation for an attack. It involves looking through hackers’ playbook, and trying everything out to make sure you are ready if you do fall victim to an attack.

What is Metasploit?

Metasploit is a software framework used by both hackers and cybersecurity experts. It consists of a number of modules, each with a unique function. 

The first set of functions deals with reconnaissance. Hackers need information on a system to conduct a major hack, so they use certain tools to search for weaknesses. 

The second set of functions involve exploits. Exploits are ways of gaining unauthorized entry to a system. Usually these involve some kind of program or application, whether an operating system, a web application, or something else. 

The third set of functions is payloads. Once attackers find a vulnerability, they will attempt to deploy a malicious piece of code or software to gain control over the system. Not every exploit will work with every type of vulnerability, so an attacker may have to try many different exploits once they find a vulnerability. 

Metasploit brings all kinds of tools for all three of these activities into a single framework. This significantly reduces the workload and knowledge necessary for hackers to mount an attack. This makes it a popular tool with many hackers, since it makes it easier for less skilled hackers to successfully break into systems. 

Metasploit originally included only 11 exploits, but that number has expanded to more than 1,500, with new additions all the time. The suite also features 500 different payloads, and has become a go-to tool for both hackers and cybersecurity professionals. 

In our research of threat actors, we have found Metasploit to be one of the most commonly used resources for ransomware attackers. The best way to stop attacks is to understand how the attackers think. This is one reason why we recommend pentesting with Metasploit as a countermeasure for ransomware attacks. 

How Metasploit Can Help Ransomware Prevention

The majority of the ransomware cases we deal with involve some form of phishing. Phishing attacks can’t really be prevented by cybersecurity measures— only healthy awareness and best practices for handling communications can. However, a significant number of attacks also involve vulnerability exploits. Attackers may also use a combination of these techniques, especially in larger, more complex cases. 

For example, one of the most famous and devastating ransomware attacks used an exploit. WannaCry infected over 200,000 computers in 150 countries in 2017, and used EternalBlue, a vulnerability leaked by the NSA. It struck major companies like Deutsche Bahn, FedEx, Renault, and Nissan, and shut down part of the UK’s National Health Service. Experts believe that the total losses caused by the virus could be greater than $4 billion. 

The EternalBlue vulnerability was fairly high profile, but there are hundreds of other vulnerabilities that are less well known. Nonetheless, a surprising number of companies and organizations fail to patch even known vulnerabilities. Believe it or not, one study found that 80% of the vulnerabilities used in hacks in 2020 were known from 2017 or earlier. 

You should conduct a pentest at least once per year. However, it’s still a good idea to keep up to date with new vulnerabilities as they emerge. It may also be a good idea to do a pentest when you make a major change to your network, such as adding new servers or changing operating systems. 

Some strains of ransomware will also search for vulnerabilities to spread through networks. Conducting internal pentesting can reduce the extent of a ransomware attack. This can make a big difference in the size of ransom an attacker is able to demand. It can also limit the amount of data stolen, reducing the damage to your clients and reputation. 

Pentesting Backups

It’s advisable to have a trained cybersecurity professional do your penetration testing for you. Whether you contract an outside service or have your own IT team handle pentesting, it’s best to discuss backups with them. Ransomware attacks can only succeed if you have no backup, or the hackers gain access to your backup. Effective ransomware prevention requires protecting your backups.

Sometimes hackers will observe your network for days or weeks to find and encrypt your backups before making a ransom demand. It’s definitely worth making sure whoever does your pentesting for you pays close attention to your backup security strategy.

Pentesting may seem like a pain or an unwelcome expense, but it is not optional. Thankfully, although Metasploit has made it easier for hackers to commit crimes, it has also made it easier to defend against them too.