Is your organization ready to respond to an actual Ransomware Attack?
RARE (Ransomware Readiness) is a narrowly focused, single-purpose ransomware exercise that allows an institution to simulate a ransomware attack within its network.
RARE identifies vulnerabilities and misconfigurations within the institution’s network with the goal of propagating and executing simulation ransomware on as many in-scope assets as possible. This identifies weaknesses, tests the institution’s response to the attack and ultimately educates against future attacks. RARE can be performed independently or part of overall Penetration Testing.
The simulation is designed and implemented according to the specifications and objectives of the institution. The systems and workstations that will be part of the simulation are predefined by the institution and the simulation is targeted strictly to those machines. NephōSec will work in collaboration with the institution throughout the entire simulation and afterwards.
Performed as part of Covert Pentest, or independently as an Assumed Breach, RARE:
- Tests the established network sensing and monitoring technologies
- Identifies potential security gaps in the network topography
- Beyond a “table-top” exercise… Truly prepares the team how to respond to an actual Ransomware Attack
- Educationally, employees understand the importance of not getting Phished
Ransomware Simulation Testing is structured to be implemented in three phases.
Stage 0 (Styx): NephōSec engineers will attempt to infiltrate the institution’s perimeter firewall to gain a foothold within the network. Once the firewall has been infiltrated, an engineer will identify the systems and workstations that are part of the predefined simulation for approval to move forward to the next stage of the simulation. If a system or workstation is identified that is not part of this predefined population, access is denied and RARE is terminated and deletes itself for that system.
Stage 1 (Broadpacket): Once the predefined systems and workstations are identified, the RARE will laterally move within the institution’s network to identify the highest credentialed system within the institution’s network. Once NephōSec has gained access to this main system, it will establish an encrypted communication channel with its command and control and prepare to launch the simulation ransomware.
The process is paused at this point. Stage 2 is a Purple Team event where the Red Team (NephōSec engineers) and the Blue Team (the Institutions’s Operations team) comes together as the ransomware simulation is deployed in a planned orchestrated event.
Stage 2 (Charon): The simulation ransomware is executed throughout the institution’s network and delivers the readings data to the NephōSec engineers.
RARE Process
Workflow:
- External red team event or internal assessment allows mass-deployment of Stage 0 (Styx)
- Styx submits host data for manual approval by operator
- On denial, Styx begins self-termination and self-deletion
- On approval, Styx stages and executes Stage 1 (Broadpacket)
- Broadpacket establishes underlying encrypted C2 communication channel
- Broadpacket stages and executes simulation ransomware, Stage 2 (Charon)
