Why patching our way out of the ransomware problem is so hard
Ransomware groups have three ways that they primarily gain initial access to victim networks: phishing, use of stolen login information and exploitation of known vulnerabilities. One of these is not getting enough attention.
The first two methods of initial access have gotten a lot of attention. Organizations regularly host phishing awareness training for employees and conduct phishing exercises. After it was reported that the initial access vector for the Colonial Pipeline ransomware attack was an old password the ransomware actor likely found on an underground forum, this method has also gotten more attention. Organizations are investing in multi-factor authentication and taking other steps to reduce the likelihood of a successful credential reuse attack.
That leaves one last attack method (at least until ransomware groups discover a new attack vector): vulnerability exploitation. Ransomware groups exploiting vulnerabilities got a lot of attention after the REvil ransomware group, or an affiliate, used a previously unknown vulnerability (known as a zero-day) in their attack on Kaseya managed service provider customers.
But the real challenge when it comes to ransomware and vulnerability exploitation is not zero-days, but the well-known vulnerabilities commonly exploited by ransomware groups.
To demonstrate the problem of well-known vulnerabilities and ransomware I posted a chart similar to the one above on Twitter and asked for feedback from other security professionals who might have seen a ransomware actor exploit a vulnerability I missed. The end result was 47 vulnerabilities across 17 technologies. In other words, there is a huge attack surface that ransomware actors are targeting and, given the number of ransomware attacks so far in 2021, they appear to be winning.
This would normally be the part of the commentary where you would expect me to tell you to make sure you patch. And, yes, you should absolutely patch. But, everyone is aware of the need to patch. What I think most people aren’t aware of is the scope of the problem. Those that work in vulnerability management or study ransomware are painfully aware of how many vulnerabilities ransomware actors can exploit, but I don’t think most other people are. A new vulnerability comes out, ransomware actors start exploiting that vulnerability weeks or months later, every security expert tells you to patch it and everyone moves on to the next thing.
But there is a deeper problem that needs to be addressed. Ransomware actors, and other cybercriminals, are getting more adept at exploiting vulnerabilities and doing so more quickly. In fact, they are often building out exploits for vulnerabilities before most organizations can patch, giving the ransomware actors a big advantage.
How can organizations regain the upper hand with vulnerability management? It starts with good asset management. You need a complete and up-to-date asset inventory so you know if your organization is impacted by a new vulnerability.
Prioritize patching not by scoring, but by risk. What is the risk to your organization if you don’t prioritize patching this vulnerability? If the risk is a ransomware attack, then that should be a high-priority patch.
Finally, communicate that information to the teams that will actually be doing the patching, so they understand why it is a high priority. My experience conducting vulnerability management is that telling a story always gets better results than relaying a number. “This vulnerability is scored as a 10, so it is critical, please patch it,” does not have the same impact as: “Ransomware groups are using this vulnerability to gain initial access, encrypt systems and steal files.” Conveying the severity of a vulnerability in relatable terms is likely to ensure it is prioritized in patching.
I really want to thank everyone from around the world, especially Twitter user “pancak3lulklz” for his many suggestions, who contributed to the chart shown above. This was a great effort by people from all over the security community, and hopefully it helps to convey the scope of one facet of the ransomware attack surface.
This story was featured in StateScoop Special Report: Cybersecurity (2021)