Cyber Teams
Ransomware readiness: here is what we learned from 1,400+ players
We're unpacking the details of one of the most chilling attacks in the industry — and how you can stay prepared to face it head-on.
b3rt0ll0,
Feb 10
2025
In December, we launched Operation Tinsel Trace II Loading Preview...
This initiative brought together security teams and enthusiasts to engage with our latest Sherlocks—hands-on defensive scenarios crafted to simulate real-world cyber incidents. The challenge incorporated a diverse set of technologies, including AI-driven attack simulations, reflecting the evolving complexity of a full ransomware kill chain faced by organizations today.
Through our analysis of 1,465 participants who took on these scenarios, we've identified key trends and areas of improvement that can serve as a benchmark for "ransomware readiness" skills. This short report not only highlights these findings but also offers actionable insights to help security teams strengthen their defensive capabilities against ransomware attacks.
The 2024 Operation Tinsel Trace scenarios though are not going anywhere! They will always be available for business customers on HTB Enterprise Platform Loading Preview... Loading Preview...
Are you ready to discover if the Elite Elven Incident Response Team (EEIRT) managed to save the North Pole’s digital infrastructure from Krampus?
A snapshot of ransomware readiness
Exclusive and themed series of defensive labs always generate lots of activity in the community! We have seen this with Operation Shield Wall Loading Preview...
A total of 1,465 community members challenged their skills with our latest defensive scenarios. Operation Tinsel Trace II featured six (6) innovative labs of various categories and difficulty, which resulted in different completion rates among scenarios – giving us a couple of interesting patterns to analyze.
The usage of AI in cyber attacks sparks curiosity (and difficulties)
Neural Noel Loading Preview...
It was also interesting to observe that more than 20% of users got stuck on the first two tasks. There seems to be a lack of foundational knowledge of AI Loading Preview...
The usage of AI in cyber attacks sparks curiosity (and difficulties)
Neural Noel Loading Preview...
It was also interesting to observe that more than 20% of users got stuck on the first two tasks. There seems to be a lack of foundational knowledge of AI Loading Preview...
Get the basics right
Explore essential Python libraries like Scikit-learn and PyTorch, understand effective approaches to dataset processing, and become familiar with common evaluation metrics to navigate the entire lifecycle of AI model development and experimentation.
There’s good understanding of CVEs, but resolution times remain high
We have scattered around some CVEs across our scenarios – to keep things interesting, and simulate real-world adversarial behaviors. Learning and understanding CVEs Loading Preview...
It was great to see that our community members capitalized on the constant CVE practice available on our platform and demonstrated a good grasp of these vulnerabilities, with only 6% of users getting stuck at this point of the investigation. The median resolution time, on the other hand, has been one of the highest among all tasks (179 minutes) only to identify the CVE used.
This is absolutely an important metric to keep into consideration, as increased dwell time after a cyber incident is directly correlated with financial loss. The average downtime a company experiences after a ransomware attack is 21 days.
Stay one step ahead of adversaries
Access and practice with CVE-based labs before others and increase readiness from new vulnerabilities! Quantify risk on your network and align patch schedules within your IT teams.
Encryption seems to be the trickiest step
Our final scenario Sleigh Slayer Loading Preview...
The ransomware recovery stage shown in this Sherlock is important to fully understand the anatomy of these attacks, but in 90% of real-world cases will not help recover ransomware encrypted files. However, the DFIR aspect (a full cyber kill chain represented in the entire series) is taken by real cyber incidents.
This proved to be the most critical step also for all users going through the lab. Nearly 20% of players got stuck at this specific step, with a median completion time of 2,932 minutes!
This points towards a lack of understanding of how ransomware encryption works, how to approach the problem of key identification, or the actual tools used to achieve this objective. Identifying encryption keys often involves reverse engineering or forensic analysis, which requires strong problem-solving and analytical skills.
My favorite part of this Sherlock was the data staging part, where players had to find what files were stolen and exfiltrated by attackers. This was because we introduced a lesser-known artifact we encountered during an incident a few months, making it difficult to determine the files staged and stolen by the attacker. They ended up collecting the files using the 7ZIP tool itself instead of navigating the filesystem – leaving no trace in traditional artifacts like jumplists or shellbags.
Abdullah Bin Yasin (aka CyberJunkie), Senior Defensive Content Engineer @ Hack The Box
More HTB ransomware content
Access more of our defensive labs (Sherlocks) focusing on ransomware to boost practical skills development, realistic simulations, response readiness, and critical thinking under pressure.
Why ransomware for Operation Tinsel Trace?
Ransomware attacks are not only one of the most interesting techniques present in the threat landscape, but also one of the most prominent and dangerous for businesses or individuals.
Taking the form of a type of malicious software that encrypts a victim's data to make it inaccessible while the attacker demands a ransom payment to restore access – it often spreads through phishing emails or exploited vulnerabilities, targeting individuals, businesses, and critical infrastructure.
The need from the security workforce to understand and act on ransomware risk is directly connected to its unique combination of technical complexity, psychological manipulation, and financial motives.
Direct financial motivation
Ransomware is a "business model" for cybercriminals. The demand of payment directly from victims, often in cryptocurrency, for decrypting locked files minimizes the time between attack and profit. In June 2023, the Clop ransomware group exploited a zero-day vulnerability in the MOVEit Transfer software Loading Preview...
Double (or triple) extortion tactics
After stealing and encrypting data, it’s common practice for adversaries to publish the data (double extortion) or target customers or partners of the victim organization, demanding ransoms from them too (triple extortion). As an example, the British Library suffered a ransomware attack by the Rhysida group Loading Preview...
Ransomware-as-a-Service (RaaS)
Even novice cybercriminals can rent ransomware kits, allowing experienced developers to take a cut of the profits. Several threat groups are actively promoting customizable ransomware Loading Preview...
Evolving TTPs
Ransomware is constantly evolving, adapting methods to bypass security measures, target new vulnerabilities, and even use AI to refine tactics. The BlackCat (ALPHV) group released a variant called "Sphynx," Loading Preview...
When I was coming up in information security, I would commonly hear from people things like "Why is cybersecurity important to me? I'm not important enough to be hacked" – ransomware turns that on its head, as now everyone is valuable up to the point that they are willing to pay, and even if they don't pay, the costs to an organization can be devastating.
David Forsythe (aka 0xdf), Training Lab Architect @ Hack The Box
The ability to scale, adapt, and inflict financial damage make ransomware a concrete threat for businesses. Damage that goes far beyond if we take into consideration ripple effects such as extensive downtime, regulatory fines, loss of trust and reputation from clients, customers, or partners.
Craft threat-informed security exercises
By collecting all insights above (even if they might look scary) we can still create a recipe for success that individuals and businesses can follow in their practice. In the following paragraph, we will see how Hack The Box can be used to stay ahead of emerging threats and adversary techniques Loading Preview...
You will quickly see that the common denominators are collaboration and proactivity. Our platform is designed to operationalize threat intelligence Loading Preview...
By consulting public databases like MITRE ATT&CK Loading Preview...
You can now map related Hack The Box content to these patterns and techniques. By picking Academy Modules, Machines (offensive scenarios), or Sherlocks (defensive scenarios) that cover these training areas, you will be able to create realistic and accurate exercises.
We have recently covered the Snowflake Breach Loading Preview...
-
Reconnaissance on these environments (MITRE ATT&CK T1580
Loading Preview...
). -
Enumeration and exfiltration of particular interest and value using the GET command (MITRE ATT&CK T1567
Loading Preview...
). -
Data compression using GZIP before exfiltration creating temporary stages within Snowflake (MITRE ATT&CK T1560.001
Loading Preview...
). -
Exfiltration of high-value data, demanding ransoms in exchange for deleting the stolen data (MITRE ATT&CK T1657
Loading Preview...
).
ShinyHunters are primarily motivated by financial gain. One high-profile victim was AT&T, who paid $370,000 of a $1 million ransom in exchange for a video of the attackers deleting call metadata for approximately 110 million AT&T customers Loading Preview...
Turn threat intelligence into action with HTB
Business customers have access to exclusive platform features that facilitate curriculum management and learning experience. You can search courses using MITRE terminology, covering the requirements identified during the adversary analysis.
The Operation Tinsel Trace II series is a great example of defensive content offering that can be found on Hack The Box. In addition, teams and individuals can access a comprehensive solution designed to empower defensive security skills – from guided learning to gamified team assessments, all mapped to NIST framework and KSATs.
-
The HTB Certified Defensive Security Analyst
Loading Preview...
(CDSA) includes 15 threat-connected courses on how to identify incidents from multiple detection perspectives, effectively perform security analysis tasks, and create meaningful reports. -
Sherlocks are hands-on investigation labs
Loading Preview...
that simulate real-world cybersecurity incidents and improve the capability to prioritize and analyze attack logs. -
Our CTF Marketplace
Loading Preview...
allows teams to select pre-made Challenge packs and deploy a gamified team assessment in less than 10 minutesLoading Preview...
to demonstrate their ability to mitigate advanced threats in a timely, effective manner.
Choose HTB to boost your cyber performance
With the global ransomware damage costs predicted to exceed $265 billion by 2031 Loading Preview...
-
Risk mitigation: Timely content offers training on the latest CVEs in real-world environments, reducing risk and exposure to these vulnerabilities.
-
Employee retention: Cybersecurity teams that are offered upskilling opportunities are far more engaged and less likely to burn out.
-
Performance benchmarking: Conduct CTFs and gap analysis to identify weaknesses in your security posture.
-
Tailored training to industry standards: HTB content is mapped to MITRE ATT&CK and NIST NICE frameworks so you can assess your cyber preparedness in different areas.
ContentsLatest News
