Ransomware is getting worse. Cybersecurity analysts have been screaming this sentiment from the rooftops for years, but now new research examining the expanding landscape of software vulnerabilities leveraged in ransomware attacks offers up some hard numbers that put the depth of this problem into context.
Researchers from RiskSense have identified as many as 223 distinct IT security vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database that were tied to attacks involving ransomware in 2020. That represents a fourfold increase in the number of ransomware-related vulnerabilities discovered in their last report published in 2019.
Ransomware families are growing and becoming more complex as well. The previous report found 19 separate ransomware families; this version identified at least 125. These groups are increasingly expanding their operations, creating new malware variants, selling their tools to third parties and targeting flaws in software and web applications.
Approximately 40% of the 223 CVEs tied to recent ransomware attacks fall under five commonly identified security weaknesses: permissions, privileges and access controls; code injection; improper input validation; improper restriction of operations within the bounds of a memory buffer and exposure of sensitive information to an unauthorized user. These overlaps “make it easy to predict that new vulnerability disclosures with similar traits will be of interest to ransomware families,” the report states.
Srinivas Mukkamala, CEO and co-founder of RiskSense, told SC Media that their research indicates this broadened attack surface is being driven by both short-term trends, like COVID-19 pushing more businesses online, as well as broader developments in digital transformation and cloud adoption throughout industry. These factors have combined to push many organizations toward adoption of technologies – like cloud applications, VPNs and home networks – with bugs and misconfigurations that are most likely to be exploited by ransomware groups.
“All of [those trends] actually opened up the aperture and attack surface for ransomware to target and if you look at the vulnerabilities, you can clearly see that your SaaS has been targeted, your backup as a service has been targeted, your remote access services have been targeted and interestingly, we’re looking at your open-source libraries being targeted,” Mukkamala said.
The vast majority of flaws (96%) used in ransomware attacks are years old, having been publicly identified prior to 2019. The oldest, CVE-2007-1036, is a remote code execution vulnerability first discovered back in 2007, which researchers continue to see exploited in the wild.
This overwhelming reliance on older defects, paired with a much smaller but steady stream of newer vulnerabilities incorporated each year, suggests that this problem only worsens and compounds over time, creating increasing backlogs for security teams to patch, configure and mitigate.
“Go look at your misconfigurations, go look at your coding weaknesses, go look at your missing patches,” said Mukkamala. That’s where it’s boiling down to and we’re seeing a really…disturbing trend of still very old vulnerabilities being actively targeted and these guys are getting good success with that.”
It’s not just ransomware groups who are catching on. RiskSense also tracks the growing use of many of the same vulnerabilities by state-backed advanced persistent threat groups. These outfits aren’t likely to infect organizations with a ransomware payload, but they are increasingly likely to leverage the same software flaws and misconfigurations.
At least 33 APT groups were found using 65 different ransomware related exploits, including multiple groups linked to the Chinese, Russian, Iranian and North Korean governments. Mukkamala said this not only indicates a desire on the part of these groups to use what already works, it also allows state-backed hacking groups and intelligence agencies to hide their activity in the noise created by the larger ransomware ecosystem.
Most organizations simply don’t have the resources or security personnel to keep up, and RiskSense’s analysis indicates that there are so many different vulnerabilities exploited in the average ransomware attack chain that relying on metrics like Common Vulnerability Scoring System severity to prioritize the work can be a fool’s errand, leading to choices that wind up only addressing a small fraction of an organization’s ransomware attack surface.
Instead, the company offers up its own formula for what it calls patch intelligence, using data analysis to determine which existing vulnerabilities are tied to exploits seen used in the wild. That list can then be further filtered by prioritizing those that have the most dangerous capabilities – such as remote code execution, privilege escalation, VPN and remote access permission changes and DDoS execution – and are trending up in their use by ransomware groups. This approach is what led RiskSense to advise that organizations should focus on addressing CVEs reported between 2017-2019, as closing them will give the best bang for the buck in terms of reducing their attack surface to exploits linked with ransomware.
Ransomware defense “is becoming more like an analytics play, where you’ve got to collect all your data and start prioritizing based on the exploitability and [whether] its active right now,” said Mukkamala.