The Top 4 Ransomware Vulnerabilities Putting your Company in Danger

By Aaron Sandeen

By Aaron Sandeen, CEO and co-founder at Securin

In 2023, you can divide organizations into two categories: those who have been hit by a ransomware attack and those who will be soon.

Ransomware is ubiquitous, inescapable, and—despite widespread efforts to combat it—ever-escalating. It has caused the death of patients in critical condition, disrupted the Colonial Pipeline supply on the East Coast, affected daily operations of entities as diverse as the San Francisco 49ers, the Costa Rican Government and the Los Angeles Unified School District. It doesn’t matter where your organization is or what it does. Ransomware doesn’t discriminate. If you have data to exfiltrate, if you have money that can be extorted, a ransomware attack will be coming for you, and soon—if it hasn’t already.

The current situation in cybersecurity is akin to an ongoing cyber-arms race between ransomware groups and cybersecurity experts. As ransomware groups become more sophisticated, cybersecurity experts work to develop new tools and strategies to combat them. This cat-and-mouse game is a never-ending war of attrition with no clear winners. However, despite the challenge, there is no reason for hopelessness. While some aspects of the situation may be beyond the control of IT teams, there are still countless precautions that can be taken to minimize the risk of a ransomware attack or the harm a successful attack might cause.

IT teams know this—and yet, per research from Securin, there are still many hundreds of vulnerabilities that have been left exposed by organizations. Until these vulnerabilities are addressed, the problem of ransomware will only get worse. Here is a quick run-through of the four most common types of vulnerabilities that organizations should watch out for.

1) Vulnerabilities Allowing Intruders into Networks

According to Securin’s research, services such as external remote services, VPN, and public-facing applications contain 133 vulnerabilities associated with ransomware that could be exploited for initial access.

External remote services refer to services like Windows Server Message Block (SMB) or Microsoft’s Remote Desktop Protocol. These services have become more widespread since the onset of the pandemic and the rise of work from home (WFH). They can be highly vulnerable to attack, as some are rife with misconfigurations or exploits well-known to cyber-criminals. For example, the 2017 WannaCry ransomware attack—one of the biggest in history—exploited an SMB vulnerability. There are many other vulnerabilities out there that have continued to go unaddressed: the Log4Shell vulnerability, for instance, which affects 176 products from 21 vendors and was exploited by six ransomware groups, including Conti and AvosLocker.

2) Vulnerabilities Requiring User Action

It’s important to note that ‘vulnerabilities’ don’t simply refer to problems with software or hardware—they also refer to human error. In fact, a large percentage of ransomware attacks can be chalked up to precisely that.

Ransomware threat actors are highly skilled at social engineering to achieve their goals: say, by posing as their target’s friend, colleague, or boss. This can lead users to inadvertently execute malicious code by opening harmful email attachments, links, or adversary-placed files. Unfortunately, as everyday users grow more sophisticated on noticing social engineering, the bad guys refine their tools in turn.

As this is a human problem, it requires a human response to combat it: namely, intensive and thoughtful in-person training where IT team members explain to people in other departments how to identify a potential threat (and what to do if they’ve unknowingly allowed someone into the system). It’s imperative that IT departments stay on top of current social engineering trends and regularly update their organizations on what to look out for.

3) Vulnerabilities Providing Elevated Access

The vulnerabilities we’ve discussed so far have addressed techniques used by hackers to try to get into your network. Unfortunately, that is usually only step one. Once hackers have exploited vulnerabilities to enter your system, they can then take advantage of additional vulnerabilities—ones that allow privilege escalation to penetrate deeper into the network and execute malware.

Put otherwise: if your attacker has a sophisticated-enough understanding of the vulnerabilities at play in your system, they can break into an account with limited permissions and use that understanding to turn themselves into an administrator and gain access to even more sensitive information.

According to the aforementioned Securin research, there are 75 vulnerabilities with ransomware associations that could enable ransomware actors to elevate privileges and easily facilitate lateral movement across organizational domains, including the Windows CLFS Privilege Escalation vulnerability and the Microsoft Exchange Server Elevation of Privilege vulnerability.

4) Vulnerabilities Allowing Stealthy Movement

Increasingly, we’re seeing malicious actors use tactics like disabling security software or blocking script execution to invade and move laterally across vulnerable networks without being identified. One well-known example of this is the Mark-of-the-web bypass (T1553.005), which ransomware groups use to abuse specific file formats and override controls.

Or take the example of BlackByte, a significant new ransomware gang that the FBI issued a warning about last year. BlackByte has become known for a technique that, according to ZDNet, “allows attacks to bypass detection by security products by exploiting a vulnerability in more than 1,000 drivers used in antivirus software.” This problem—which researchers describe as “Bring Your Own Driver”—suggests a significant and troubling new front in the war against ransomware attacks.

Ransomware attacks are on the rise, and it’s becoming increasingly apparent that every organization, regardless of industry or size, is at risk. No one can hope to protect themselves from ransomware attacks fully.  What organizations can do is avoid easy mistakes—properly training staff, getting a clearer sense of their system’s vulnerabilities, and taking serious steps to fix them.  The war against ransomware might not be ending anytime soon, but we can take steps to limit the casualties along the way.


No posts to display