Ransomware readiness: here is what we learned from 1,400+ players

In December, we launched Operation Tinsel Trace II, a festive-themed cybersecurity challenge designed to test and enhance ransomware readiness.

This initiative brought together security teams and enthusiasts to engage with our latest Sherlocks—hands-on defensive scenarios crafted to simulate real-world cyber incidents. The challenge incorporated a diverse set of technologies, including AI-driven attack simulations, reflecting the evolving complexity of a full ransomware kill chain faced by organizations today.

Through our analysis of 1,465 participants who took on these scenarios, we've identified key trends and areas of improvement that can serve as a benchmark for "ransomware readiness" skills. This short report not only highlights these findings but also offers actionable insights to help security teams strengthen their defensive capabilities against ransomware attacks.

The 2024 Operation Tinsel Trace scenarios though are not going anywhere! They will always be available for business customers on HTB Enterprise Platform and with individual VIP/VIP+ subscriptions on HTB Labs.

Are you ready to discover if the Elite Elven Incident Response Team (EEIRT) managed to save the North Pole’s digital infrastructure from Krampus?

A snapshot of ransomware readiness

Exclusive and themed series of defensive labs always generate lots of activity in the community! We have seen this with Operation Shield Wall months back, and it has been confirmed with this new ransomware-focused campaign.

A total of 1,465 community members challenged their skills with our latest defensive scenarios. Operation Tinsel Trace II featured six (6) innovative labs of various categories and difficulty, which resulted in different completion rates among scenarios – giving us a couple of interesting patterns to analyze.

The usage of AI in cyber attacks sparks curiosity (and difficulties)

Neural Noel is the second most popular scenario based on the  number of attempts and completions. This Sherlock featured an AI chatbot combined with unusual file access, strange HTTP traffic, and suspicious requests.

It was also interesting to observe that more than 20% of users got stuck on the first two tasks. There seems to be a lack of foundational knowledge of AI (in addition to packet capture analysis and Wireshark) in cyber attack methodologies, with the general workforce still catching up on emerging tech.

The usage of AI in cyber attacks sparks curiosity (and difficulties)

Neural Noel is the second most popular scenario based on the  number of attempts and completions. This Sherlock featured an AI chatbot combined with unusual file access, strange HTTP traffic, and suspicious requests.

It was also interesting to observe that more than 20% of users got stuck on the first two tasks. There seems to be a lack of foundational knowledge of AI (in addition to packet capture analysis and Wireshark) in cyber attack methodologies, with the general workforce still catching up on emerging tech.

Get the basics right

Explore essential Python libraries like Scikit-learn and PyTorch, understand effective approaches to dataset processing, and become familiar with common evaluation metrics to navigate the entire lifecycle of AI model development and experimentation.

START LEARNING

There’s good understanding of CVEs, but resolution times remain high

We have scattered around some CVEs across our scenarios – to keep things interesting, and simulate real-world adversarial behaviors. Learning and understanding CVEs in safe environments is a crucial part of proactive security for high-performing cyber teams.

It was great to see that our community members capitalized on the constant CVE practice available on our platform and demonstrated a good grasp of these vulnerabilities, with only 6% of users getting stuck at this point of the investigation. The median resolution time, on the other hand, has been one of the highest among all tasks (179 minutes) only to identify the CVE used.

This is absolutely an important metric to keep into consideration, as increased dwell time after a cyber incident is directly correlated with financial loss. The average downtime a company experiences after a ransomware attack is 21 days.

Stay one step ahead of adversaries

Access and practice with CVE-based labs before others and increase readiness from new vulnerabilities! Quantify risk on your network and align patch schedules within your IT teams.

DISCOVER MORE

Encryption seems to be the trickiest step

Our final scenario Sleigh Slayer was completely focused on the aftermath of a successful ransomware attack. The most critical files have been encrypted, and the final objective was to reverse the encryption to finally recover the assets.

The ransomware recovery stage shown in this Sherlock is important to fully understand the anatomy of these attacks, but in 90% of real-world cases will not help recover ransomware encrypted files. However, the DFIR aspect (a full cyber kill chain represented in the entire series) is taken by real cyber incidents.

This proved to be the most critical step also for all users going through the lab. Nearly 20% of players got stuck at this specific step, with a median completion time of 2,932 minutes!

This points towards a lack of understanding of how ransomware encryption works, how to approach the problem of key identification, or the actual tools used to achieve this objective. Identifying encryption keys often involves reverse engineering or forensic analysis, which requires strong problem-solving and analytical skills.

My favorite part of this Sherlock was the data staging part, where players had to find what files were stolen and exfiltrated by attackers. This was because we introduced a lesser-known artifact we encountered during an incident a few months, making it difficult to determine the files staged and stolen by the attacker. They ended up collecting the files using the 7ZIP tool itself instead of navigating the filesystem – leaving no trace in traditional artifacts like jumplists or shellbags.

 

Abdullah Bin Yasin (aka CyberJunkie), Senior Defensive Content Engineer @ Hack The Box

More HTB ransomware content

Access more of our defensive labs (Sherlocks) focusing on ransomware to boost practical skills development, realistic simulations, response readiness, and critical thinking under pressure.

WATCH FREE DEMO

Why ransomware for Operation Tinsel Trace?

Ransomware attacks are not only one of the most interesting techniques present in the threat landscape, but also one of the most prominent and dangerous for businesses or individuals.

Taking the form of a type of malicious software that encrypts a victim's data to make it inaccessible while the attacker demands a ransom payment to restore access – it often spreads through phishing emails or exploited vulnerabilities, targeting individuals, businesses, and critical infrastructure. 

The need from the security workforce to understand and act on ransomware risk is directly connected to its unique combination of technical complexity, psychological manipulation, and financial motives.

Direct financial motivation

Ransomware is a "business model" for cybercriminals. The demand of payment directly from victims, often in cryptocurrency, for decrypting locked files minimizes the time between attack and profit. In June 2023, the Clop ransomware group exploited a zero-day vulnerability in the MOVEit Transfer software (CVE-2023-35708), compromising even numerous Fortune100 companies with an estimated earning of $75-100 million from the extortion attacks.

Double (or triple) extortion tactics

After stealing and encrypting data, it’s common practice for adversaries to publish the data (double extortion) or target customers or partners of the victim organization, demanding ransoms from them too (triple extortion). As an example, the British Library suffered a ransomware attack by the Rhysida group, which exfiltrated approximately 600GB of sensitive information. When the ransom was not paid, the attackers released the data publicly, exemplifying double extortion.

Ransomware-as-a-Service (RaaS)

Even novice cybercriminals can rent ransomware kits, allowing experienced developers to take a cut of the profits. Several threat groups are actively promoting customizable ransomware, allowing affiliates to tailor attacks to specific victims, lowering the technical barrier for these fraudolent operations.

Evolving TTPs

Ransomware is constantly evolving, adapting methods to bypass security measures, target new vulnerabilities, and even use AI to refine tactics. The BlackCat (ALPHV) group released a variant called "Sphynx," which included updates to increase speed and stealth in such attacks.

When I was coming up in information security, I would commonly hear from people things like "Why is cybersecurity important to me? I'm not important enough to be hacked" – ransomware turns that on its head, as now everyone is valuable up to the point that they are willing to pay, and even if they don't pay, the costs to an organization can be devastating.

 

David Forsythe (aka 0xdf), Training Lab Architect @ Hack The Box

The ability to scale, adapt, and inflict financial damage make ransomware a concrete threat for businesses. Damage that goes far beyond if we take into consideration ripple effects such as extensive downtime, regulatory fines, loss of trust and reputation from clients, customers, or partners.

BECOME RANSOMWARE-READY

Craft threat-informed security exercises

By collecting all insights above (even if they might look scary) we can still create a recipe for success that individuals and businesses can follow in their practice. In the following paragraph, we will see how Hack The Box can be used to stay ahead of emerging threats and adversary techniques.

You will quickly see that the common denominators are collaboration and proactivity. Our platform is designed to operationalize threat intelligence operations and foster purple team operations in simple steps. 

By consulting public databases like MITRE ATT&CK or other open source projects, you will be able to identify what exact tools, processes, and techniques are used by each ransomware group. 

You can now map related Hack The Box content to these patterns and techniques. By picking Academy Modules, Machines (offensive scenarios), or Sherlocks (defensive scenarios) that cover these training areas, you will be able to create realistic and accurate exercises.

We have recently covered the Snowflake Breach by following this exact methodology. After gaining access to customer Snowflake instances, ShinyHunters used both custom tools and DBeaver Ultimate (a database management tool) to perform:

• Reconnaissance on these environments (MITRE ATT&CK T1580). 

• Enumeration and exfiltration of particular interest and value using the GET command (MITRE ATT&CK T1567). 

• Data compression using GZIP before exfiltration creating temporary stages within Snowflake (MITRE ATT&CK T1560.001).

• Exfiltration of high-value data, demanding ransoms in exchange for deleting the stolen data (MITRE ATT&CK T1657). 

ShinyHunters are primarily motivated by financial gain. One high-profile victim was AT&T, who paid $370,000 of a $1 million ransom in exchange for a video of the attackers deleting call metadata for approximately 110 million AT&T customers.

The Operation Tinsel Trace II series is a great example of defensive content offering that can be found on Hack The Box. In addition, teams and individuals can access a comprehensive solution designed to empower defensive security skills – from guided learning to gamified team assessments, all mapped to NIST framework and KSATs. 

• The HTB Certified Defensive Security Analyst (CDSA) includes 15 threat-connected courses on how to identify incidents from multiple detection perspectives, effectively perform security analysis tasks, and create meaningful reports.

• Sherlocks are hands-on investigation labs that simulate real-world cybersecurity incidents and improve the capability to prioritize and analyze attack logs.

• Our CTF Marketplace allows teams to select pre-made Challenge packs and deploy a gamified team assessment in less than 10 minutes to demonstrate their ability to mitigate advanced threats in a timely, effective manner.

Choose HTB to boost your cyber performance

With the global ransomware damage costs predicted to exceed $265 billion by 2031 (Source: Cybercrime Magazine), unskilled teams pose a real risk to the security of your business. This is why cybersecurity performance programs and continuous improvement are no longer a nice-to-have, but a necessity.