6th September 2021, Kathmandu
Today, 266 susceptibilities are associated with ransomware, and assailers are increasingly exploiting these impuissances to launch devastating ransomware attacks. Ergo, identifying and remediating these susceptibilities needs to be a critical priority for organizations if they operate to remain safe from ransomware attacks.
By Ram Movva, Chairman and Co-progenitor of Cyber Security Works
We have witnessed perilously disruptive ransomware attacks in 2021. The ransomware attacks on Colonial Pipeline, JBS USA Holdings, Kaseya, and Accenture the most recent victim of LockBit are proof that the lack of cyber hygiene is rampant. These assailants highlight the desideratum for the continual assessment of susceptibilities and the prioritization of remediation.
As our research in ransomware expands, we have updated our Q1 report with incipient ransomware markers and emerging trends that would avail organizations ecumenical to stay a step ahead of assailants and proactively bulwark themselves against such attacks.
In the Q2 Index Update, we highlight the following:
- Insights about susceptibilities that have recently become associated with ransomware
- New Advanced Sedulous Threat (APT) groups utilizing ransomware in their assailment arsenal
- Newly discovered ransomware families
- Categories of impuissances that have contributed susceptibilities to ransomware
- Emerging ransomware trends
Incipient Susceptibilities in the Ransomware Arsenal
In this quarter, our research shows that six susceptibilities have become associated with seven ransomware strains; among them are the infamous Darkside, Conti, FiveHands, and the incipiently christened, Qlocker.
With this update, the total number of susceptibilities associated with ransomware has incremented to 266. We have additionally described a 1.5% increase in the number of actively exploited susceptibilities that are trending currently, reiterating that a jeopardy-predicated approach for the remediation of susceptibilities is the desideratum of the hour.
One of the most compelling visual examinations during this quarter was the exploitation of zero-day susceptibilities even afore vendors published their revelation or relinquished patches.
On April 19, 2021, thousands of QNAP contrivances were assailed by Qlocker, causing accommodation disruptions and data loss for its users. Qlocker had compromised CVE-2021-28799, a QNAP zero-day susceptibility discovered only on April 22, 2021, for which a patch was published on May 1, 2021. Meanwhile, the assailants had already made more than $350,000 in ransom money, even while the vendor was still investigating the incident. The National Susceptibility Database (NVD) relinquished details about this susceptibility 11 days after the patch was relinquished.
The FiveHands ransomware attack on SonicWall Virtual Private Network (VPN) contrivances is yet another example that showcases the desideratum for a jeopardy-predicated approach. In this case, SonicWall had published details about CVE-2021-20016 on January 23, 2021, and the patch was scheduled to be relinquished on February 03, 2021. However, assailers struck afore the patch was published. The NVD integrated the susceptibility to its database on February 04, 2021.
Both incidents highlight the following:
- Organizations that depend only on updates relinquished by the NVD to orchestrate their remediation and patch management need to rethink their strategy and adopt a jeopardy-predicated approach to mitigate trending threats.
- With ransomware assailants going after zero-day susceptibilities, vendors must proactively release patches without delays.
- Software developers need to be more mindful about coding errors and misconfigurations, ascertaining they do not introduce impotence that assailants could compromise to launch crippling attacks.
Susceptibility Analyses
Exploit Type
Our research withal fixates on the type of exploit linked to ransomware-cognate susceptibilities. For instance, Remote Code Execution (RCE) and Privilege Escalation (PE) are the most hazardous susceptibilities that assailants weaponize and exploit.
Since the publication of the ransomware report in February 2021, we have visually examined that 43 susceptibilities have become associated with ransomware this year, and 35% (15 susceptibilities) have been categorized as RCE/PE exploit types. In this quarterly update, we visually examined that RCE/web application exploits CVE-2018-13374 has been associated with Conti ransomware.
Overall, 40% of susceptibilities (107) tied to ransomware are categorized as RCE/PE exploits. Our recommendation to organizations is to prioritize these susceptibilities and patch them first.
Low-Scoring Susceptibilities
Low-scoring susceptibilities deceptively fly under the radar. Security teams incline to sideline low-scoring susceptibilities and patch susceptibilities predicated only on their Prevalent Susceptibility Scoring System (CVSS) version3 (v3) or version2 (v2) scores. Such organizations will still be vulnerably susceptible to ransomware attacks because 59% of the susceptibilities associated with ransomware are low-scoring* ones.
In our quarterly update, we have optically discerned a 3.9% increase in low-scoring susceptibilities linked to ransomware. While security teams may overlook these susceptibilities, risk-predicated platforms will flag these susceptibilities as high-risk despite the low score provided by the NVD. However, many organizations do not utilize or remain incognizant of such implements, leaving their low-scoring susceptibilities unpatched and their network open to a ransomware attack.
*CVSS v2 scores less than eight were considered low-scoring for the ransomware research report.
Actively Exploited Susceptibilities
While susceptibilities that have become associated with ransomware should always be considered high risk and must be prioritized for remediation, we additionally optically canvass those Mundane Susceptibilities and Exposures (CVEs) that are currently trending in hacker channels and being exploited in the wild.
At present, 134 susceptibilities are being actively exploited. Security teams will require moving these susceptibilities to the top of their patching list because this impotence are being increasingly compromised to launch damaging ransomware attacks.
Incipient APT Groups
We have been visually examining an incrementation in APT group attacks since the commencement of this year. From SolarWinds to DarkSide’s attack on the Colonial Pipeline, APT groups have targeted critical industries and sectors and have integrated ransomware into their arsenal to mount disruptive attacks.
In this quarter, we have noted a 17% increase in the number of APT groups adopting ransomware as a component of their arsenal to mount attacks on their targets. This brings the total number of APT groups with ransomware sodalities to 40.
Incipient Ransomware Families
This quarter withal established a 4.2% increase in ransomware families, with six incipient families joining the fray. Our findings show that the Crypwall ransomware family retains its position as the most astronomically immense ransomware family in the world, with 66 CVEs within its fold. In this quarter, we have withal noted that the Cerber strain has overtaken Locky with 65 CVEs tied to ransomware.
Comparatively, incipient ransomware families are fixated on much more diminutive susceptibility packages for exploitation. For instance, Apostle, DarkRadiation, FiveHands, and Qlocker exploit one susceptibility each. The Epsilon Red Group has three CVE sodalities, DarkSide has four sodalities, and Pay2Key has five sodalities.
Incipient CWE Categories
Significantly, we have spotted two incipient Prevalent Impotency Enumeration (CWE) categories during our research—CWE-134 (Utilization of Externally Controlled Format String) and CWE-732 (Erroneous Sanction Assignment for Critical Resource).
CWE-134 is an impuissance that, when amalgamated with an unauthenticated RCE vector, can directly sanction hackers to access the victim’s machine. Additionally, assailants can utilize these CWEs along with others in a chain to achieve their maleficent motives.
CWE-732 leads to erroneous Sanction Assignment for Critical Resource that can result in the exposure of sensitive information. It exposes VPN credentials in cleartext or a facilely readable format, thereby sanctioning the VPN to be facilely compromised. There is withal a vigorous possibility of assailers utilizing attack chaining to infiltrate the victim’s network. Software developers need to ascertain that they do not introduce this impotence in their products while they inscribe code.
Old Susceptibilities
There has been a marginal increase in the number of old susceptibilities that have recently become associated with ransomware. CVE-2017-1000253, CVE-2018-13374, and CVE-2019-1579 have been linked to DarkRadiation, Conti, and Pay2Key, respectively, in this quarter. This brings the total count of older susceptibilities (published in or afore 2020) associated with ransomware to 255, which is 95% of the total number of ransomware susceptibilities.
The Way Forward
The most recent ransomware attacks have been so disruptive that they are considered acts of war, prompting world bellwethers to politicize these assailants with those countries where the ransomware seems to have originated.
Predicated on our research, ransomware susceptibilities have been steadily incrementing each quarter, and assailers are finding innovative ways to compromise and exploit impuissances in software products and contrivances. As we head into Q3, we will be tracking zero-day exploits and the sodality between APT groups and ransomware.
Organizations can combat ransomware only with precise susceptibility data aligned with the pertinent threat context. A peril-predicated approach to detect, prioritize, and remediate these susceptibilities would keep the assailers at bay. Our recommendation would be to adopt perpetual susceptibility management to avail organizations to mitigate ransomware threats, even as they trend.
