How Ransomware Targets Your Organization in 2021

Ransomware is a malware that in the last two years has become an important threat to US companies and people. Any business, government, organization, or person can be a target for ransomware who is willing to pay a ransom to regain access to their information. The most common variants are crypto-ransomware and locker ransomware.

Crypto ransomware – Crypto ransomware looks for flaws and weaknesses in computers and devices – seeking out data that has not been backed up. This data can be anything of importance including financial data, large work projects, phone numbers, photos, tax, and videos.

Locker ransomware – Locker ransomware locks and shuts down the entire computer or mobile device and victims are asked to pay a ransom to release the computer or mobile device.

How Ransomware Targets:

Remote Desktop:

As employees moved workstations from their offices to their homes in a short period, there wasn’t much time for the organizations to reconfigure home networks and endpoints to establish multi-level security that’s inherent in enterprise networks. The year 2020 saw the biggest increase in RDP attacks after then, targeting U.S. companies.

Many ransomware attacks take their place in a target organization by means of weakness or the deployment of RDP software. As reported by ZScaler reports, Brute-forcing RDP is the most frequently used method for Windows system access and malware execution. Here are the recent RDS/RDP vulnerabilities :

CVE-2019-0787:

This vulnerability can be a problem for users who connects to a server that’s compromised.

CVE-2019-1181 / CVE-2020-0609 / CVE-2019-1182:

Attackers use these vulnerabilities to override remote code on a server running RDS.

SaaS Apps:

As software-as-a-service (SaaS) apps becoming the default system of record for organizations, attackers are now targeting SaaS to break into organizations from server operating systems to flaws in applications and Web also application frameworks.

The SaaS category had the most CVEs seen trending with active exploits among ransomware families. Attackers are looking for more severe vulnerabilities to reach targets that are capable of remote code execution (RCE) or privilege escalation (PE) when exploited. If your organization is deploying more SaaS applications, be prepared with primary security risks to understand where proper SaaS security should be applied.

Aged vulnerabilities:

In recent years ransomware attacks benefit from vulnerabilities that organizations have not noticed and with over half of vulnerabilities exploited. 63% of the CVEs analyzed were tied to high-value in which 52.6% of the ransomware vulnerabilities had a CVSS v2 score lower than 8. Targeting enterprise assets such as servers, application servers, and other critical assets allows attackers to maximize business disruption and demand higher ransom payments.

Attackers are continuing to target organizations through the exploitation of older Microsoft Word vulnerabilities such as:

CVE-2017-0199 :

This CVE was first disclosed and patched in April 2017. It allows an attacker to download and execute a Visual Basic Script containing PowerShell commands after the victim opens a malicious document containing an embedded exploit.

CVE-2017-11882:

This CVE was first disclosed and patched in November 2017. This vulnerability involves a stack buffer overflow in the Microsoft Equation Editor component of Microsoft Office that allows for remote code execution.

Common Weakness Enumeration (CWE):

It is easy to find and exploit these weaknesses. They are dangerous as they will frequently allow the bad actors to completely take over the execution of software, steal data, or prevent the software from working.

The NVD obtains vulnerability data from CVE which is 40% of CVEs linked to ransomware attacks and here are the new vulnerability disclosures that might appeal to ransomware families. Fixing these CWEs can make it harder for ransomware attackers and limit their use of critical safety patches :

  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-20: Improper Input Validation
  • CWE-264: Permissions, Privileges, and Access Controls
  • CWE-94: Improper Control of Generation of Code, or Code Injection
  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

End Point Threat:

As ransomware continues to enjoy great success with employees struggle to recognize malicious emails and with the cyber skills gap, it may seem like ransomware is unstoppable. Public health and safety organizations, hospitals, and law enforcement agencies increasingly falling victim to attacks unleashed by malicious emails opened by unwitting employees. These organizations often wind up paying the ransom as they need urgent access to the compromised files.

Defenses that account for both the determination of cybercriminals and the certainty of human error are the needs of every organization. Advanced endpoint security provides real-time analysis of file movement and behavior across a whole network, unlike antivirus protection which only identifies specific signatures. Whenever a document is opened or shared, it is analyzed against a database to determine its potential risk based on how similar files have behaved.

Reference:

1. DeBeck, C., co-authored by Chris Caridi, Charles DeBeck Senior Cyber Threat Intelligence Analyst – IBM Charles DeBeck is a senior cyber threat intelligence strategic analyst with, DeBeck, C., Senior Cyber Threat Intelligence Analyst – IBM, & Charles DeBeck is a senior cyber threat intelligence strategic analyst with IBM X-Force Incident Response and Intelligence Services (IRIS). Charles brings 7 … read more. (2020, February 26). What’s Old Is New, What’s New Is Old: Aged Vulnerabilities Still in Use in Attacks Today. Security Intelligence. https://securityintelligence.com/posts/whats-old-is-new-whats-new-is-old-aged-vulnerabilities-still-in-use-in-attacks-today/.

2. Sheridan, K. (2021, February 22). 8 Ways Ransomware Operators Target Your Network. Dark Reading. https://www.darkreading.com/8-ways-ransomware-operators-target-your-network/d/did/1340221_mc=bib&itc=bib&utm_source=bib&utm_medium=bib&utm_campaign=Commentary&utm_term=Vulnerabilities+%2F+Threats&image_number=2