Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:30 PM
Connect Directly

Ransomware Attackers Set Their Sights on SaaS

Ransomware has begun to target data-heavy SaaS applications, open source, and Web and application frameworks.

Ransomware attacks have begun to more heavily target software applications, open source tools, and Web and application frameworks as attackers seek more direct paths to organizations' largest and most important data stores. 

Related Content:

How Ransomware Defense Is Evolving With Ransomware Attacks

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Unemployment Fraud: As If Being Out of Work Wasn't Bad Enough

The ransomware threat landscape has seen tremendous growth in the past few years alone, RiskSense researchers report in a new study, "Ransomware – Through the Lens of Threat and Vulnerability Management." They detected 223 vulnerabilities associated with 125 ransomware families, a massive increase from their 2019 findings of 57 CVEs tied to 19 ransomware families. 

These attackers are diversifying their targets, moving "up the stack" to target software-as-a-service (SaaS) applications and remote technology. Ransomware is now taking over the application layer, explains RiskSense CEO Srinivas Mukkamala, a shift that shows how attackers are adapting as businesses move more of their operations to the cloud.

"This year, what we found even more interesting was it's not [only] touching your SaaS applications, open source software, and open source libraries," he says of ransomware. "It didn't stop there. It started going after the perimeter technologies, like your VPNs, remote access services, and zero trust."

He calls it a "very fast shift." It took attackers several years to begin targeting the application layer; however, it was only within the past two years that researchers noticed the types of exploits attackers used, and the layers they targeted "dramatically changed." 

Data-dense applications are hot targets. SaaS had the highest count of vulnerabilities seen trending with active exploits among ransomware families, researchers point out in their report.

Researchers noticed 18 CVEs tied to ransomware found across WordPress, Apache Struts, Java, PHP, Drupal, and ASP.net, all of which are major components of the Web and application framework space. Open source and related projects are also targets – 19 CVEs tied to ransomware exist in Jenkins, MySQL, OpenStack, TomCat, Elasticsearch, OpenShift, JBoss, and Nomad. Anything that holds a lot of data, or is responsible for the deployment of data, has become appealing to attackers. To Mukkamala, the shift "makes perfect sense."

"Wherever there was data density, we started seeing ransomware go: CRM tools, open source tools that are used in your data pipelines, backup services, remote access services," he adds. "Call it the work-from-home tech frenzy." 

How They're Breaking In
Attackers are also looking for more severe vulnerabilities to reach these targets – namely, those that are capable of remote code execution (RCE) or privilege escalation (PE) when exploited. 

Between 2018 and 2020, more than 25% of CVEs used in ransomware attacks were considered "dangerous," meaning they were capable of RCE or PE and had weaponized exploits. While the number of weaponized vulnerabilities went down overall, the number of RCE/PE flaws increased. Researchers report more than 25% of newly published CVEs pose a higher risk to organizations due to these RCE/PE capabilities.

"They don't need the human intervention anymore," says Mukkamala of the preference for RCE and PE flaws. "They're looking at vulnerabilities that can be remotely exploited – vulnerabilities that will allow them to escalate privileges. That's a very interesting trend we have seen in the last year." 

Nearly all (96%) vulnerabilities used in ransomware attacks were reported in the US National Vulnerability Database (NVD) before 2019. Of these, 120 were actively used in ransomware attacks that trended in the past 10 years, and 87 are currently trending (2018-2020). The largest contributors in ransomware attacks are vulnerabilities disclosed in 2017, 2018, and 2019.

"What we really see is ransomware successfully using software weaknesses, misconfigurations, and coding errors that people are not paying attention to," he explains. While some attackers use zero-days, these are growing rarer as known vulnerabilities continue to prove successful. 

The Ransomware Family Tree Grows
Researchers identified 125 ransomware families using 223 CVEs. Some of the more prominent families include Crypwall, which uses 66 CVEs, Locky (64), Cerber (62), Cryptesla (56), GandCrab (51), Cryptomix (50), Reveton (46), and Waltrix (45). Of the ransomware families detected, 42 only use vulnerabilities reported in 2019 or earlier, with the oldest flaw reported in 2010. 

The number of ransomware families has continued to grow as new players enter the scene, joining old groups that continue to operate. Some, such as Cobralocker and Lokibot, have been running since 2012 and don't show any signs of retiring, researchers note. 

Mukkamala says these groups continue to stay relevant by adding new vulnerabilities and exploits to their arsenals. The tremendous growth in ransomware families shows there are plenty of targets, and plenty of opportunities, for ransomware campaigns to succeed.

"There's so much available," he adds. "Everyone has a piece of the share … there's still a lot of room for these guys, and people are paying. Why wouldn't they stop?"

He advises organizations to defend against evolving ransomware threats by first understanding their exposure. Knowing where they are vulnerable is a key first step in ransomware defense.

"Understand your exposure, map it to your attack surface," he explains. "What is your addressable attack surface, and what is your exposure to it? First do your external and then quickly move to your internal. Do not ignore internal."

Based on this knowledge, IT and security teams will have a better idea of where they need to address areas of exposure to ransomware.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...