DEV Community

Cover image for Can a Penetration Test Prevent Ransomware? What Most Companies Miss
Jason
Jason

Posted on • Originally published at artificesecurity.com

Can a Penetration Test Prevent Ransomware? What Most Companies Miss

#cybersecurity #infosec #discuss #security

TL;DR:
Yes, a penetration test can help prevent ransomware. Not by blocking it directly, but by identifying the same weaknesses attackers use to gain access. These can be things like weak service account passwords, lack of MFA, poor internal segmentation, and exposed attack paths like Kerberoasting. In this post, I’ll break down how a real ransomware attack unfolded and show how a manual penetration test would have stopped it before it spread.

Ransomware attacks keep making headlines, but most don’t rely on advanced exploits or nation-state-level tools. They often start with simple issues like a weak password, an unprotected VPN, or an overlooked service account. This post answers a critical question many companies are asking: can a penetration test prevent ransomware before it happens? The answer is yes, if it’s done right.

Flowchart showing the stages of a ransomware attack: VPN access, Kerberoasting, cracked service account, Domain Admin access, and final ransomware deployment.

How Do Ransomware Attacks Usually Start?

Most ransomware attacks don’t begin with some elite-level hack. They start with something simple: a weak password, a misconfigured VPN, or credentials stolen from a past breach. In this real-world case, the attacker gained access through a VPN gateway that didn’t require multi-factor authentication. It was a backup system at a disaster recovery site, overlooked during configuration. That single gap gave them an initial foothold.

Once inside, the attackers spent the next week moving laterally across multiple Windows systems using PsExec, a legitimate remote admin tool already in use by the company. There were no advanced exploits here. They simply used what was already available in the environment.

After about ten days, they pivoted to a Windows server and quietly loaded a tool called Rubeus through PowerShell. With it, they launched an attack called Kerberoasting, which let them request encrypted service account credentials from Active Directory. One of the cracked accounts, “admin1,” turned out to be a Domain Admin.

From there, things escalated quickly. The attackers dumped the NTDS.dit file, which holds every password in the domain, and exfiltrated over 100GB of data using WinSCP. Finally, they deployed ransomware across the network using PsExec and WMIC, copying the payload to hundreds of systems from a VirtualBox VM they spun up just for the job.

This entire compromise could have been prevented if the right security controls had been tested ahead of time. That is exactly where a real penetration test becomes critical.

Most ransomware breaches do not use advanced exploits. They rely on overlooked basics.

What Is Kerberoasting and Why Should You Care?

Kerberoasting is a technique attackers use to extract encrypted passwords for service accounts in Active Directory. What makes it especially dangerous is that it requires no elevated privileges. As long as an attacker has any valid domain user account, even one with no special access, they can run this attack and try to crack the passwords offline.

A service account is a user account used by automated tasks or services like SQL Server, backup software, or internal apps. These accounts are often overlooked in routine password audits and may have broad access across the environment. Because they are tied to SPNs (Service Principal Names), they can be identified and targeted using built-in domain queries.

Here’s how Kerberoasting works:

  1. The attacker logs in using a basic domain user account.
  2. They scan the domain for accounts with SPNs. In most environments, these are service accounts.
  3. Active Directory returns encrypted service tickets (TGS tickets) for those accounts by default.
  4. The attacker saves those tickets and attempts to crack them offline using tools like Hashcat or John the Ripper.
  5. If the service account password is weak or uses outdated encryption like RC4, cracking it can be fast and reliable.

Infographic illustrating the Kerberoasting attack process, showing a domain user requesting an SPN, receiving a TGS ticket, and performing offline cracking to extract service account credentials.

In this case, the attackers succeeded because the password for the service account they targeted was weaker than it should have been. Once they cracked it, they gained Domain Admin access and took full control of the environment.

During a penetration test, this is one of the exact techniques we use to simulate real-world attacks. While ransomware operators often use tools like Rubeus inside a Windows environment, we typically use GetUserSPNs.py from the Impacket toolkit on Kali Linux to do the same thing. Both approaches allow us to find service accounts vulnerable to Kerberoasting and provide clear guidance to fix the issue before an attacker can exploit it.

This is a practical attack method used by both real threat actors and ethical hackers. It is one of many reasons why a penetration test can prevent ransomware by exposing overlooked internal weaknesses that attackers often rely on.

What Happens If a Service Account Gets Compromised?

When attackers crack a service account password, the real danger begins. Even if that account is not a Domain Admin, it might still have local administrator rights on multiple systems. That means the attacker can start moving laterally across the network, hopping from one machine to another, looking for more credentials, access, and opportunity.

Lateral movement is the process of using one compromised system to access another. You can think of it like someone finding a key to one office in a building, and then discovering that key opens ten more. Each time they open a new door, they gain more visibility and more tools to work with.

This is often all it takes to get Domain Admin access. Once the attacker lands on a system where a Domain Admin account has logged in recently, they can use tools like Mimikatz or LSASS dumpers to extract credentials directly from memory. From there, full control of the environment is usually only a step or two away.

In the case we’re describing, one cracked service account led directly to a Domain Admin. But even if it hadn’t, the attacker could have still pivoted through the network, escalating slowly until they reached the same goal.

A good penetration test will simulate this exact process. After identifying vulnerable service accounts, we check whether they can be used to access other systems and gain additional privileges. If we can move laterally using a cracked service account, we flag it immediately and provide guidance to fix it. This is another clear way a penetration test can prevent ransomware, by identifying the internal escalation paths that most companies never realize exist.

Can a Penetration Test Help Prevent Ransomware?

Yes. A well-executed penetration test can absolutely help prevent ransomware. It does this by simulating the same steps an attacker would take after gaining initial access. Instead of waiting for someone with malicious intent to find the gaps, a manual penetration test exposes those weaknesses first, with clear steps on how to fix them.

In the attack we’ve been walking through, the threat actors got in using a basic VPN login, escalated privileges using Kerberoasting, and then moved laterally across the environment until they had full control. These steps are not unique to ransomware gangs. They are common tactics used in everyday penetration tests.

Here’s how a good internal pentest works in a similar scenario:

  • We start with no access, user-level access, or simulate it.
  • We attempt to identify service accounts using tools like GetUserSPNs.py.
  • We try to extract and crack Kerberos tickets offline.
  • If successful, we test whether that account gives us admin access to other systems.
  • We follow the same logic an attacker would: try to harvest credentials, pivot, and escalate.

The difference is that we stop there. Instead of launching ransomware or stealing data, we deliver a report that tells you exactly what happened, how far we got, and how to stop it from ever happening in the real world.

This kind of test goes far beyond what a vulnerability scanner would catch. A scanner might tell you that SMB signing is disabled, or that a patch is missing. But a manual pentest tells you what an attacker could actually do with that information.

If your goal is to prevent ransomware from locking down your environment, then simulating the attacker’s path is the only reliable way to see where your defenses fall short. That’s why a penetration test can prevent ransomware, not by guessing, but by proving what needs to be fixed before someone malicious finds it.

What’s the Difference Between a Vulnerability Scan and a Penetration Test?

A vulnerability scan checks your systems for known issues like missing patches, outdated software, or open ports. It compares your environment against a list of known vulnerabilities and reports what it finds. That’s useful, but it only tells you what is exposed — not what can actually be exploited.

A penetration test takes it further. Instead of listing vulnerabilities, it simulates what a real attacker would do with them. It shows how someone could chain small issues together, escalate privileges, move across the network, and reach critical assets. That is a big difference.

For example, a scanner might tell you that SMB signing is not enforced. A penetration test will show you that an attacker can use that gap to run NTLM relay attacks or impersonate users. A scanner might note that a service account password is old. A tester will show you that it can be cracked and used to access dozens of systems.

Another key difference is how each approach deals with context. Vulnerability scanners see every issue in isolation. Pentesters see the relationships between them. They find paths an attacker would actually follow, not just items on a checklist.

This is why there is no such thing as an “automated penetration test.” Tools like Nessus or OpenVAS are scanners. They are helpful for hygiene but not for security validation. If a company tells you they provide automated pentesting, what they’re really offering is a scan with a marketing wrapper.

If you want more insight into the difference, check out our guide: Penetration Testing Firms: 10 Red Flags Every Business Should Know. It breaks down what real testing looks like, and how to avoid paying for a report that doesn’t actually help.

A scanner might give you a list. A manual penetration test gives you proof, context, and clear guidance to reduce risk. That is exactly what you need if you want to prevent ransomware and stop attackers before they get inside.

How Would You Know If Your Network Was at Risk?

Most companies think they’re doing fine until something breaks. But in many environments, attackers are able to move freely not because the network is wide open, but because the right tests were never done to expose what’s quietly misconfigured or forgotten.

If you haven’t tested your internal network with a manual penetration test, the truth is that you likely don’t know how exposed you are. Most environments don’t generate alerts when Kerberoasting happens. Many still allow VPN access without enforcing multi-factor authentication. And far too many service accounts have not had their passwords changed in years.

Here are a few examples of the kinds of findings that might show up in a strong internal pentest report. The image below is a sample excerpt from a real-world report format showing a variety of risks.

Sample penetration test findings table showing assessment issues such as weak passwords, insecure configurations, and risk levels ranging from low to critical.

These are not rare. We see them constantly, even in organizations with decent external security posture. And attackers know that once they are inside, these gaps often go unnoticed.

A real internal pentest checks for exactly these risks. We look at account hygiene, privilege assignments, network structure, and monitoring. More importantly, we don’t just check for these issues, we attempt to use them the same way an attacker would. If we can compromise a service account or move laterally to a domain controller, you’ll know about it in the report.

Knowing your risk means not guessing. It means validating your controls from the inside, just like ransomware groups do. That is what a proper penetration test provides.

What Would a Good Pentest Report Actually Show You?

A good penetration test report does more than list problems. It tells a story. It shows how a real attacker could move through your environment, where they would start, what they would find, and how far they could go.

This kind of report is built on real attack paths, not guesses or theoretical issues. If we find a service account that can be Kerberoasted and cracked, we document it. If that cracked account gives us local admin rights on multiple machines, we show how that access can be used to pivot deeper into the network.

Here are a few examples of the kinds of findings that might show up in a strong internal pentest report:

  • A weak service account password that allowed offline cracking in under 12 hours
  • A VPN portal without multi-factor authentication that accepted simple credentials
  • A lack of alerting on lateral movement, such as PsExec or remote desktop activity across high-value systems

But the value is not just in identifying problems. The report should tell you exactly what to do next. That includes:

  • Which accounts to rotate or decommission
  • How to enforce stronger encryption and password policies
  • Where to improve segmentation or privilege boundaries
  • What types of monitoring and logging to enable or tighten

Findings are prioritized by risk and ease of exploitation. You’ll know what needs to be fixed right away versus what can be scheduled for future hardening.

This is how you translate security testing into meaningful outcomes. You’re not just checking a box. You’re giving your team a focused list of actions that directly reduce the risk of a ransomware event. A good pentest report does not just diagnose the issues, it gives you a plan to protect the business.

Can a Pentest Really Stop a Breach from Happening?

A penetration test cannot guarantee you will never be breached. But it can stop most attacks before they start, especially the ones that rely on common missteps like weak passwords, poor segmentation, or unmonitored lateral movement.

Most ransomware cases do not involve advanced exploits. They succeed because nobody was looking internally. A good pentest fixes that. It simulates the attacker’s perspective inside your environment and shows you what would happen if someone got in.

When we run a manual internal pentest, we simulate the exact steps a ransomware operator would take. We look for vulnerable service accounts, test privilege escalation paths, attempt Kerberoasting, and try to move laterally. Each step tests whether real-world attack paths like Kerberoasting or lateral movement are possible in your network right now.

If we can find it, so can they. The difference is that we give you a chance to fix it first.

That is the point of a good penetration test. It is not just about finding flaws. It is about showing how to prevent those flaws from becoming the reason your business ends up in the news.

Don’t Wait for a Breach to Learn Where You're Exposed

If attackers can get Domain Admin starting from a low-privilege account and a service ticket, the real question is: have you tested whether they could do it in your environment?

At Artifice Security, we simulate real ransomware attack paths from Kerberoasting and lateral movement to privilege escalation and exfiltration. We test safely, manually, and give you clear steps to fix what matters before it’s exploited.

If you're relying on scans, you're not testing the same way attackers operate.

Let’s find the gaps before someone else does.

📧 contact@artificesecurity.com
📞 720-515-1337
🔗 artificesecurity.com

About the Author

Written by Jason Zaffuto, Founder of Artifice Security
Jason is a veteran penetration tester with over 25 years of experience in IT, electronics, and offensive security. He served in the U.S. Army as a Military Intelligence Systems Maintainer and later worked in red team operations for both the military and private sector. He holds several degrees in electronics and Cybersecurity and has led engagements for Fortune 500s, critical infrastructure, and government agencies. Today, he leads Artifice Security, helping clients identify and fix the exact weaknesses ransomware attackers exploit.

FAQ

Can a penetration test prevent ransomware?
Yes. A penetration test can help prevent ransomware by identifying and simulating the same internal weaknesses that attackers rely on. That includes weak service account passwords, poor network segmentation, and missing multi-factor authentication. A good pentest reveals these issues before someone else uses them against you.

What is Kerberoasting in Active Directory?
Kerberoasting is a technique where an attacker with a valid domain user account requests encrypted service tickets from Active Directory. These tickets can be cracked offline to recover service account passwords. If those accounts have high privileges, the attacker can escalate access quickly.

Are vulnerability scans the same as penetration tests?
No. Vulnerability scans identify known issues using automated tools. A penetration test uses human logic to chain misconfigurations together and simulate how an attacker would exploit them. If your provider only delivers a scan report or claims to offer “automated penetration testing,” you’re likely not getting a real pentest.

How do attackers move laterally in a network?
Lateral movement happens when an attacker uses one compromised account or system to access others. They often rely on local admin rights, cached credentials, or misconfigured permissions to hop from machine to machine, getting closer to high-value targets like domain controllers.

What does a good pentest report include?
A strong report shows you exactly how far the tester got, what weaknesses were used, and what to fix first. It includes cracked credentials, privilege escalation paths, lateral movement risks, and prioritized remediation guidance.

Top comments (0)