Ransomware attacks have begun to more heavily target software applications, open source tools, and Web and application frameworks as attackers seek more direct paths to organizations' largest and most important data stores.
The ransomware threat landscape has seen tremendous growth in the past few years alone, RiskSense researchers report in a new study, "Ransomware – Through the Lens of Threat and Vulnerability Management." They detected 223 vulnerabilities associated with 125 ransomware families, a massive increase from their 2019 findings of 57 CVEs tied to 19 ransomware families.
These attackers are diversifying their targets, moving "up the stack" to target software-as-a-service (SaaS) applications and remote technology. Ransomware is now taking over the application layer, explains RiskSense CEO Srinivas Mukkamala, a shift that shows how attackers are adapting as businesses move more of their operations to the cloud.
"This year, what we found even more interesting was it's not [only] touching your SaaS applications, open source software, and open source libraries," he says of ransomware. "It didn't stop there. It started going after the perimeter technologies, like your VPNs, remote access services, and zero trust."
He calls it a "very fast shift." It took attackers several years to begin targeting the application layer; however, it was only within the past two years that researchers noticed the types of exploits attackers used, and the layers they targeted "dramatically changed."
Data-dense applications are hot targets. SaaS had the highest count of vulnerabilities seen trending with active exploits among ransomware families, researchers point out in their report.
Researchers noticed 18 CVEs tied to ransomware found across WordPress, Apache Struts, Java, PHP, Drupal, and ASP.net, all of which are major components of the Web and application framework space. Open source and related projects are also targets – 19 CVEs tied to ransomware exist in Jenkins, MySQL, OpenStack, TomCat, Elasticsearch, OpenShift, JBoss, and Nomad. Anything that holds a lot of data, or is responsible for the deployment of data, has become appealing to attackers. To Mukkamala, the shift "makes perfect sense."
"Wherever there was data density, we started seeing ransomware go: CRM tools, open source tools that are used in your data pipelines, backup services, remote access services," he adds. "Call it the work-from-home tech frenzy."
How They're Breaking In
Attackers are also looking for more severe vulnerabilities to reach these targets – namely, those that are capable of remote code execution (RCE) or privilege escalation (PE) when exploited.
Between 2018 and 2020, more than 25% of CVEs used in ransomware attacks were considered "dangerous," meaning they were capable of RCE or PE and had weaponized exploits. While the number of weaponized vulnerabilities went down overall, the number of RCE/PE flaws increased. Researchers report more than 25% of newly published CVEs pose a higher risk to organizations due to these RCE/PE capabilities.
"They don't need the human intervention anymore," says Mukkamala of the preference for RCE and PE flaws. "They're looking at vulnerabilities that can be remotely exploited – vulnerabilities that will allow them to escalate privileges. That's a very interesting trend we have seen in the last year."
Nearly all (96%) vulnerabilities used in ransomware attacks were reported in the US National Vulnerability Database (NVD) before 2019. Of these, 120 were actively used in ransomware attacks that trended in the past 10 years, and 87 are currently trending (2018-2020). The largest contributors in ransomware attacks are vulnerabilities disclosed in 2017, 2018, and 2019.
"What we really see is ransomware successfully using software weaknesses, misconfigurations, and coding errors that people are not paying attention to," he explains. While some attackers use zero-days, these are growing rarer as known vulnerabilities continue to prove successful.
The Ransomware Family Tree Grows
Researchers identified 125 ransomware families using 223 CVEs. Some of the more prominent families include Crypwall, which uses 66 CVEs, Locky (64), Cerber (62), Cryptesla (56), GandCrab (51), Cryptomix (50), Reveton (46), and Waltrix (45). Of the ransomware families detected, 42 only use vulnerabilities reported in 2019 or earlier, with the oldest flaw reported in 2010.
The number of ransomware families has continued to grow as new players enter the scene, joining old groups that continue to operate. Some, such as Cobralocker and Lokibot, have been running since 2012 and don't show any signs of retiring, researchers note.
Mukkamala says these groups continue to stay relevant by adding new vulnerabilities and exploits to their arsenals. The tremendous growth in ransomware families shows there are plenty of targets, and plenty of opportunities, for ransomware campaigns to succeed.
"There's so much available," he adds. "Everyone has a piece of the share … there's still a lot of room for these guys, and people are paying. Why wouldn't they stop?"
He advises organizations to defend against evolving ransomware threats by first understanding their exposure. Knowing where they are vulnerable is a key first step in ransomware defense.
"Understand your exposure, map it to your attack surface," he explains. "What is your addressable attack surface, and what is your exposure to it? First do your external and then quickly move to your internal. Do not ignore internal."
Based on this knowledge, IT and security teams will have a better idea of where they need to address areas of exposure to ransomware.