The Darkside ransomware group brought the Colonial Pipeline to its knees in May 2021. In another incident that soon followed, REvil (Ransomware Evil), a private Ransomware as a Service (RaaS) caused meat prices to rise when it attacked JBS — a meat processing giant. And in Ireland, Conti attacked the Irish Health systems and the FBI published a warning that they would be targeting the health care sector more.
By Ram Movva, the President and Co-founder of Cyber Security Works
Could these attacks have been avoided? Can we prevent future attacks?
If these organizations had remediated vulnerabilities that are associated with ransomware, they could have shrunk their attack surface and avoided the attack.
The catalyst behind the rise in ransomware attacks is the ease with which they can exploit organizations due to technical debt and patch management lags. We’re seeing industries such as critical oil pipelines, global meat processing plants, and even regional ferry transportation get hit with disruptive ransomware. Each attack provides additional proof that digital infrastructure is weak and needs maintenance so it will be strong enough to defend against these threat actors.
CSW’s analysts have been conducting in-depth research on ransomware and attack trends for the past year. We have delved deep into ransomware attacks, exploits, Advanced Persistent Threat (APT) groups, exploit kits and attack patterns that occurred in the last two years and we recently published our findings in a Ransomware Spotlight Report. The report covers the latest attacks and ransomware trends, and provides actionable insights for organizations to prioritize vulnerabilities for patches.
Rapid Rise in Ransomware
Remote working has resulted in weaker controls and more public-facing RDP servers, thus creating the ideal environment for ransomware to thrive. Predictably, this led to an increase in ransomware attacks since 2020.
We have been tracking ransomware associations with vulnerabilities since 2019, when RiskSense published its first Ransomware Spotlight Report. CSW’s analysts have noted that the number of vulnerabilities associated with ransomware rose from 57 in August 2019 to 223 in December 2020. By the first quarter of 2021, we found that the number of vulnerabilities had increased to 260, clocking a 17% increase!
Currently, ransomware attackers are spoiled for choice with 260 vulnerabilities to compromise and can easily launch crippling ransomware attacks.
So, what should organizations fix first to avoid becoming the next ransomware victim?
Our researchers had highlighted 132 vulnerabilities trending as ransomware targets in Q1 of 2021. These key vulnerabilities are weaponized and have active exploits; they should be at the top of every organization’s remediation list.
Although every vulnerability tied to ransomware should be considered a high exposure risk to an organization, we recommend that these 132 issues be prioritized for patches because they have been exploited actively by attackers from 2018 to 2021 (Quarter 1).
If organizations were to rely solely on CVSS scores to prioritize and patch vulnerabilities, they would still be exposed to ransomware. We say this because of the following reasons:
- Only 65% of vulnerabilities tied to ransomware have a CVSS v3 score. Approximately 25% of these vulnerabilities are rated as critical and 10% as high. Therefore, if organizations were to patch critical and high vulnerabilities, they would get only 35% coverage against ransomware and still be vulnerable to attacks.
- While 99% of the vulnerabilities have a CVSS v2 score, only 70% are rated as high, and if only these are prioritized for patching, the 25% of vulnerabilities rated as medium and 3% rated as low will remain unaddressed, enabling attackers to launch ransomware attacks.
Note: 2% of vulnerabilities do not have CVSS v2 score.
To keep it simple, organizations need continuous threat contexts and proactive alerts to patch vulnerabilities, which are fast becoming cannon fodder for ransomware.
Ransomware is not particularly clever, but ransomware families share and leverage 260 vulnerabilities.
Exploit Kits, Ransomware Families, and APT Groups
Our research also focused on the exploit kits commonly used by attackers. Exploit kits are automated tools used by hackers to exploit a vulnerability and then deliver malware or ransomware payloads. They target common software products from vendors such as Adobe, Flash, Java, Microsoft, and Silverlight.
Essentially, these are packaged executables, built as layered vulnerability attacks providing all the tools needed to attack an organization.
We identified 32 commonly used exploit kits and three new kits used by attackers in Q1 of 2021.
|Top 5 Commonly Used Exploit Kits
|New Exploit Kits Identified in Q1 of 2021
In December 2020, we identified 125 ransomware families that were using 223 vulnerabilities to attack their targets. In 2021, this number rose to 140, clocking a 12% increase! The infamous DarkSide ransomware that recently stalled Colonial Pipeline and disrupted gasoline supply in the US is one among the 140.
Our researchers have also been closely monitoring the mushrooming of APT groups and their affiliations to hostile nation-states for more than a year. APT and ransomware associations increase the power of this threat by several notches. These threats are called “persistent” for a reason. APT groups are seemingly well-funded, often, by nation-states who hire them to conduct deep targeted attacks. Therefore, they are not solely motivated by monetary incentives. Their focus is on government entities, critical infrastructure, and Fortune 500 companies to spy and steal sensitive information within Pharma, Energy, and other sectors.
Our Spotlight Report listed 33 APT groups, the ransomware families they are associated with, and the CVEs they exploit. In the first quarter of this year, we spotted a new association to the APT group Viking Spider, which used CVE-2017-0213 to launch attacks in Microsoft Windows Servers. (Download Q1 report for more information.)
CWEs Enabling Ransomware
Lastly, we also analyzed how and why ransomware attackers can exploit weaknesses in applications and operating systems and uncovered many insights that would be useful for software developers.
Our report identified the top five vulnerabilities in the Common Weakness Enumeration (CWE) that the attackers are abusing are CWE-119, CWE-20, CWE-264, CWE-94, and CWE-200.
In the past quarter, two new CWE IDs were introduced: CWE-295 and CWE-611. CWE-295 falls under the A3 category of the Open Web Application Security Project’s (OWASP) top ten vulnerabilities in 2017, indicating sensitive data exposure risk.
Ransomware-as-a-Service (RaaS) is another reason for the spate of attacks. Today, any malicious attacker with just a little technical knowledge can get an entire ransomware kit from a RaaS website and launch an attack. Each kit comes with detailed instructions on how to deploy the payload, making it extremely easy to launch an attack. The recent DarkSide Ransomware attack on Colonial Pipeline is a classic example of how mature RaaS has become. It is also an indicator of how sophisticated and customer-friendly RaaS is soon to become.
The Way Forward
When we noticed a marked spike in key index numbers, such as vulnerabilities, active exploits, APT groups, and ransomware families, we decided to release quarterly updates on ransomware to help organizations remediate and patch targeted vulnerabilities.
Ransomware is exponentially growing, and the 17% increase in vulnerabilities in Q1 of 2021 is not an encouraging sign. Today, our dynamic database of ransomware research remains the only single source for organizations to quickly understand their attack surface exposure and learn what contributes to ransomware growth. The only way to defend against this threat is to elevate cyber hygiene and adopt continuous risk-based vulnerability management that provides active threat contexts about ransomware.
Watch out for our next quarterly update to get the latest statistics, exploits, and trends on ransomware.
A longer version of this article will appear in the next issue of CISO MAG. Subscribe here.
About the Author
Ram Movva, the President and Co-founder of Cyber Security Works (CSW), is an industry expert in offensive security and intrusion detection. With a master’s degree from Georgia Tech, Ram was with TIBCO for over a decade. He was also part of the founding team at RiskSense, a risk-based vulnerability management company.
After spending 15 years in the US, Ram co-founded Cyber Security Works (CSW) in 2008. Under his strategic leadership, CSW has enabled companies worldwide to improve their security posture.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.