Research: Ransomware Operators Exploiting Old Vulnerabilities

Date:

February 16, 2023

World map

New research published in the 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management found that more than three-quarters of all ransomware-related vulnerability exploits observed throughout 2022 targeted older bugs disclosed between 2010 and 2019.

Most of the vulnerabilities were low to medium severity levels, making it more likely that they were lower on an organization's priority list for remediation or were simply never addressed. For many of these vulnerabilities, exploits have been available for quite some time. In many cases, the exploits have been built into exploit tool kits and largely automated, so we're also seeing an increase in ransomware attacks displaying these more sophisticated attack sequences.

"Ransomware gangs are persistently going after old vulnerabilities and have been weaponizing them systematically. Out of the 264 old vulnerabilities, 208 of them have exploits that are publicly available,” reported TechTarget.

“Of these, 131 have RCE/PE (remote code execution or privilege escalation) exploits, which make them extremely dangerous. What is more worrying is the fact that 119 of them are actively trending in the deep and dark web as a point of interest for hackers."

Takeaway: The marked increase in the exploitation of vulnerabilities by ransomware gangs is further evidence that criminal actors continue to employ increasingly complex techniques that we used to only see in state-supported operations. Ransomware attacks used to be more clumsy and random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed.

Today's more robust ransomware operations, or RansomOps, can involve a range of threat actors who each specialize in different aspects of a more extensive operation, essentially monetizing every stage along the way. This can include initial access brokers (IABs) who infiltrate networks and then sell the access to other groups, such as an affiliate user who is also "renting" attack infrastructure from a RaaS provider and then perhaps using the services of a specialist who can facilitate negotiations with the victims and the laundering of any proceeds, and so on. 

As these different specialist roles have evolved, it's no surprise that we have seen a corresponding evolution in the threat actors' TTPs, which includes the leveraging of a wide range of vulnerabilities.

The fact that these attackers are leveraging exploits for well-documented vulnerabilities means we have the opportunity to detect and stop these ransomware operations earlier in the attack sequence. Many of the TTPs they employ are common and should help to reveal the weeks or more of detectable activity on the network that occurs before the actual ransomware payload is delivered.

Organizations with the right controls in place stand a good chance of disrupting these attacks at initial ingress when these known exploits are likely to be used or when the attackers begin to move laterally on the network and seek to escalate privileges. The ransomware payload is the very tail-end of a longer attack, so a multi-layer defense strategy that is designed to detect more than just the detonation of a ransomware binary is critical to detecting earlier and remediating against these attacks faster.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more.