Another week, another depressing spate of ransomware stories. This time, ransomware attacked Campbell County Health in Wyoming and cloud security vendor Armor also reported that ransomware has laid low hundreds of schools in 2019 alone.
Now, another report from pen testing and vulnerability management company RiskSense warns that many of the vulnerabilities that ransomware exploits are far from new.
The company's Enterprise Ransomware report found that many of the vulnerabilities most popular in ransomware exploits are like dad jokes: old, and lame. The MS17-010 vulnerabilities — the ones that spawned the WannaCry ransomware — are still hugely popular. Ryuk, SamSam, and Satan all still use them, and they are great for spreading the ransomware quickly through a network. Trickbot, a Trojan that attackers commonly use to paves the way for ransomware infections, uses the EternalBlue MS17-010 exploit to spread itself through its victims' networks.
When it comes to vulnerabilities targeted by ransomware, though, these two-and-a-half year-old bugs are mere whippersnappers. Ransomware routinely targets security flaws dating back as far as 2010, the report revealed.
Of the 57 vulnerabilities commonly targeted by ransomware, 31.5% (18) were from 2015 or earlier, according to the RiskSense analysis. Many of those older bugs (16) were still being exploited in the wild in 2018 or 2019. Gandcrab (the ransomware service that recently shut up shop), SamSam, and Sodinokibi among others all targeted these older vulnerabilities.
If ransomware continues to target old bugs, it’s probably because it's still hitting plenty of targets. This means organizations have not patched. Why would that be?
For many companies, patching software is not a trivial matter. It takes time, effort, and testing. A patch that causes problems for a system risks disrupting the business. Consequently, many IT departments may lack the resources to patch all their software. Instead, they have to triage. One way a company might do that is by looking at a vulnerability's Common Vulnerability Scoring System (CVSS) severity score. CVSS is a standard metric for assessing how dangerous a security bug is, and it’s based on a range of underlying data points.
Organizations relying entirely on CVSS scores for triage might choose to patch only those bugs considered critical. They might be missing a trick, though. One fact emerged from RiskSense's analysis was that many of the vulnerabilities had CVSS v3 scores that fell just below the critical category, ranking as high severity instead.
All the normal rules of avoiding ransomware apply: make proper (offline) backups and train employees not to click links they don’t recognize or open attachments they weren't expecting. However, software patching is also a big part of ransomware evasion. Patching all vulnerabilities will go a long way towards fending off ransomware attacks, and represents another layer of defense against an increasingly pernicious threat. However, before many organizations can do that, they have to get their change management processes in order, which is easier said than done.