Exploitation

Exploitation as an initial entry attack vector is becoming more popular among ransomware threat actors.
Home » How Does Ransomware Work? » Active Defense Intrusion » Exploitation

In This Section

Exploitation & Ransomware

Exploitation as an initial entry attack vector is becoming more popular among ransomware threat actors. While it’s impossible to know the full picture, as recently as 2019 exploitation accounted for initial entry in only 5% of ransomware attacks. Most cyberattackers find it easier to use social engineering—for instance, to send a phishing email message to an employee of a targeted organization—or break user passwords than to look for software flaws that permit entry. Using a software flaw to gain entry to a network is called exploitation. 2020 and 2021 have seen dramatic changes, with exploitation accounting for initial entry in almost 20% of ransomware attacks in the first quarter of 2021. As with all ransomware statistics, it’s impossible to know the full picture, but general trends show that exploitation is becoming more popular as an initial entry attack vector.
This makes sense. Ransomware groups and their affiliates have gotten increasingly sophisticated and more comfortable with developing and using exploits. This was perfectly illustrated by the timeline for the ZeroLogon vulnerability (CVE-2020-1472) shown in the image below. Microsoft announced the vulnerability on Aug. 11, 2020 (T1). ZeroLogon is an elevation of privilege vulnerability in the NetLogon process that could give an attacker access to an organization’s Active Directory Domain Controller. Active Directory plays an important role in manual ransomware attacks, so an exploit that allowed ransomware groups access to Active Directory was inevitably going to be adopted by ransomware groups. The ZeroLogon exploit is used during the reconnaissance phase of the ransomware attack, but these same trends apply to initial access exploits used by ransomware groups and their Initial Access Brokers (IABs).
Timeline from announcement of the ZeroLogon vulnerability to the use by a ransomware actor (Image courtesy of Recorded Future)
By Sept. 16 a proof of concept (PoC) exploit had been released (T2). The first reports of a ransomware actor using the exploit against the vulnerability came on Oct. 20 (T3)—just over two months from the announcement of the vulnerability (and likely a lot sooner, because there’s usually a delay between a tool’s use in an attack and the first report of its use). This pattern has repeated itself over and over again in 2020 and 2021. A new vulnerability is discovered, sample exploit code is released, and ransomware groups pick up on it almost immediately. One example of this is CVE-2021-22005, a remote code execution (RCE) vulnerability in VMware vCenter. The vulnerability was reported on Sept. 21, 2021. By Sept. 22, threat actors were already scanning for vulnerable systems, and by Sept. 28 there was a working exploit that the ransomware group and other threat actors were using to gain access to vulnerable systems.

Common Vulnerabilities 
Exploited by Ransomware

There are really two types of vulnerabilities used by ransomware groups:
Initial access
Reconnaissance and privilege escalation

Initial access vulnerabilities are ...

... primarily used by IABs, rather than the ransomware groups themselves. Most IABs get their start scanning for and finding access to Internet-facing Remote Desktop Protocol (RDP) servers. But that’s an increasingly crowded field with a low barrier to entry, so the more skilled IABs have moved on from RDP to other targets to attempt credential reuse or credential stuffing attacks. Still, other IABs focus primarily on the exploitation of well-known vulnerabilities.
LEARN MORE ABOUT CREDENTIAL MARKETS AND IABs

Initial Access 
Vulnerabilities

While the diversity of targets and ...

... methods of vulnerability exploitation have changed over time, vulnerability exploitation isn't new to ransomware. In 2016 SamSam relied heavily on exploiting JBoss vulnerabilities to gain access to its victims. Specifically, SamSam used an offensive security tool called JexBoss to carry out exploitation, just as many IABs use Metasploit today to carry out their exploitations. Interestingly, SamSam eventually moved from exploiting vulnerable JBoss servers to scanning for and launching credential stuffing/reuse attacks against RDP servers likely because, with little competition at that time, it was easier.
"RDP and Other Remote Login Attacks" discusses the expanded attack surface created by organizations having more employees working from home during the COVID-19 pandemic. That doesn’t just mean more Internet-facing RDP and other remote access systems that could be hit with credential stuffing/reuse attacks, it also means more remote access systems that are vulnerable to exploitation.

High-Speed Attacks

In 2020 and 2021 alone, IABs working primarily for ransomware actors actively exploited vulnerabilities in the following systems for initial access to victim organizations:
Citrix
Microsoft Exchange
Pulse Secure VPN
Fortinet VPN
SonicWall Mobile Gateway
F5
Palo Alto

Again, all of these attacks were based on ...

... well-known vulnerabilities that had exploit code released and usually a module in Metasploit. IABs conduct scans looking for these vulnerable systems, just as they do for potential RDP targets.
A list of vulnerabilities used by ransomware groups to gain initial access, separated by technology
The image above lists many of the initial access vulnerabilities that have been exploited by IABs for ransomware groups in 2020 and 2021. Note that there’s a lot of interest in Pulse Secure VPN vulnerabilities; Once attackers get comfortable using repeated exploits against a vulnerable system, they tend to seek out new vulnerabilities for that system. Because many IABs have targeted Pulse Secure VPN’s vulnerabilities and the exploits work reliably, the IABs are quick to jump on Proof of Concept (PoC) exploit code for a new vulnerability when it’s released.
A timeline of the CVE-2021-26855 vulnerability from initial report to ransomware
A similar situation played out with Microsoft Exchange vulnerabilities as an initial access vector. CVE-2021-26855 (also known as ProxyLogon) was first published by Microsoft on March 2, 2021. When the vulnerability was first reported, it was already being exploited by state-sponsored groups, but several ransomware groups, many believed to be originating from China, also took an interest. Within 10 days (see timeline above) they were exploiting the vulnerability to deliver their ransomware. In May 2021 Microsoft patched three additional vulnerabilities in Microsoft Exchange that could be exploited together, a style of attack known as exploit chaining. The combination of the three vulnerabilities were referred to as ProxyShell. By August, ransomware groups everywhere were exploiting these vulnerabilities.

Want More Like This Delivered
Right Into Your Inbox?

Sign Up To Receive Our 
Monthly Ransomware Newsletter

Don't Worry, We Hate Spam Too!

Why Don’t Organizations Install 
Patches to Fix Vulnerabilities?

As the image above demonstrates, ransomware groups and their IABs look at a diverse set of edge devices for initial exploitation. There are very few Internet-facing technologies for which absolutely no RCE vulnerability has been published. Organizations that aren’t quick to patch their systems will likely be victims of ransomware attacks.

Part of the problem is that ...

... ransomware actors move faster than organizations can patch. It’s easy to advise rapid patches for vulnerable systems. But there are a lot of challenges associated with vulnerability management that can make it difficult to patch in a timely manner.
Most organizations don’t have a dedicated vulnerability management person, much less a team. Vulnerability management is often an ancillary duty, and is split among multiple teams. The endpoint team is responsible for patching endpoints, the server team is responsible for patching servers, and the networking team is responsible for patching networks. Even in organizations with a vulnerability management team, that team is only responsible for letting other teams know about what needs to be patched. So the vulnerability management team can warn repeatedly about threats, but ultimately they have to rely on other teams to find the time to patch.

The patching cycle that many organizations ...

... have is also much slower than the weaponization cycle of many ransomware groups. It’s not uncommon for organizations to prioritize patching based on criticality, with service-level agreements (SLAs) applied to each level. For example, P1 vulnerabilities are scored on the Common Vulnerability Scoring System (CVSS) as Critical or High, and the SLA for patching those systems may be a month. P2 (Medium) and P3 (Low or None) will have SLAs for patching that are even longer. Unfortunately, the exploitation cycle for ransomware groups can be a lot faster than that. This gives ransomware groups an unfair advantage. They need to find exploits for only some vulnerabilities, while vulnerability management teams need to patch everything.
On top of that, some technologies are difficult to update. Microsoft Exchange is notoriously finicky to update, with patches often causing more problems. VPNs can also be challenging to update, especially with a geographically diverse workforce. These Internet-facing systems are critical to increasingly remote workforces, so the hours lost during a test and update cycle can cost organizations a lot of money.
Despite these challenges, patching is increasingly important, especially as ransomware groups progressively rely on exploitation for initial access. As discussed earlier, exploitation of well-known vulnerabilities doesn’t cost ransomware groups and their IABs anything except time. This low cost of entry leads more threat actors to show interest in scanning for and exploiting known vulnerabilities, creating a constantly growing threat to organizations.

Vulnerabilities Inside 
the Network

Initial access vulnerabilities target a diverse group of vendors and technologies, but once inside the network, ransomware actors are often interested in just one vendor: Microsoft. Whether it’s an elevation of privilege or RCE vulnerability, the targets are (almost) always Microsoft.

Microsoft being the only target is a bit of an exaggeration ... 

... because ransomware groups are increasingly interested in VMware ESXi and Linux, but most ransomware attacks by far are still targeting Windows systems on Active Directory networks and, unfortunately, these challenges are getting worse.
The ZeroLogon vulnerability was discussed above, but it’s not the only recent Microsoft vulnerability widely exploited by ransomware groups. CVE-2021-34527, also known as PrintNightmare, has been widely exploited by ransomware groups. Part of the reason that PrintNightmare has been so attractive is that many organizations use their Active Directory controller as a print spooler, so exploiting this vulnerability gives the ransomware attacker access to Active Directory and thus the entire network. PrintNightmare was announced in July and was being actively exploited by ransomware groups by the end of the month.

CVE-2021-36942 is another example of ...

... a Microsoft vulnerability used by ransomware groups. CVE-2021-36942, also known as PetitPotam, is a Windows Local Security Authority (LSA) spoofing vulnerability. The method of attack was released in a whitepaper at the end of June 2021, Microsoft published the vulnerability on Aug. 10, and by Aug. 23 ransomware groups were exploiting it, once again to gain access to Active Directory servers.
Ransomware groups don’t always need to use exploitation once they’ve gained initial access. There are plenty of other tools, discussed in the next part of the book, that are available to ransomware affiliates that allow them access to the privileges and systems they need to exfiltrate files and deploy ransomware. This means that even a fully patched network can be vulnerable to a ransomware attack once the attacker has gained initial access. This is why it’s so important to stop ransomware attackers at the edge, rather than trying to catch and stop them once they’ve gained access.

Linux

While exploiting Microsoft Windows ...

... vulnerabilities is the primary focus of ransomware groups once they’re inside the network, there’s increasing interest in accessing Linux and VMware ESXi systems, as well. It isn’t known at this point what percentage of ransomware attacks involve these systems, only that it’s growing. This is discussed a bit on the "Creating Disaster Recovery and Incident Response Plans" page.
Linux exploitation inside a network by ransomware groups tends to be opportunistic. As ransomware actors are conducting reconnaissance, they look for Linux systems with well-known vulnerabilities, such as CVE-2017-1000253 (a privilege escalation vulnerability in the way Linux loads ELF executables). Generally, exploits for these vulnerabilities are readily available in the tools the ransomware actors use, such as Metasploit. Ransomware groups aren’t rushing to get exploits prepared for new Linux vulnerabilities as they would for new Windows vulnerabilities. Rightly or wrongly so, ransomware actors don’t always feel there’s value in encrypting Linux systems.
An ad on the Russian cybercriminal XSS forum selling initial access to Linux servers
This preference for operating systems is reflected even in IAB ads on hacking forums. Initial access to Linux servers is generally worth less to the ransomware community. The ad from the Russian cybercriminal XSS forum in the image above is a typical example. While initial access to Windows systems normally goes for several thousand dollars, this threat actor is having trouble selling access to two Linux servers for $500 (it doesn’t appear anyone ever took them up on the offer, either). Strategically, Linux servers can be very important to a ransomware operation, and many ransomware groups have Linux variants of their ransomware, but the operating system is still not a high priority.
Pay Attention

Flying Under the Radar?

Just because ransomware groups aren’t prioritizing attacks on Linux systems doesn’t mean that no one is. Many cybercriminals are very focused on Linux vulnerabilities, especially groups focused on cryptocurrency mining. There are also some Linux targets, such as cloud or hosting providers, that are very attractive to ransomware groups. The point of this section is not to downplay the importance of Linux security, but instead lay out the landscape of attacks today, knowing that it could change in the future.

VMware ESXi

VMware ESXi is a different story. Not only have ransomware groups seen value in penetrating it, they’re actively looking to exploit and gain access to ESXi servers. It makes sense: Why encrypt files on one system at a time, when you can encrypt dozens of operating systems simultaneously with one command?

At least two ESXi vulnerabilities are ... 

... widely exploited currently by ransomware groups—CVE-2019-5544 and CVE-2020-3992—and there will undoubtedly be more in the future. On top of that, many ransomware groups maintain an ESXi-specific variant. Ransomware groups or IABs have exploited the VMware vCenter vulnerability, CVE-2021-21985, shown in the list of vulnerabilities diagram, for initial access in order to gain access to ESXi servers.
Unlike access to Linux systems being sold on underground forums, there is a consistent demand and higher valuation placed on ESXi access. Dozens of ads are posted to ISS and other underground forums, as shown in the screenshot below, looking to buy or sell ESXi access. As organizations continue to push more services to cloud infrastructure, both inside and outside their organization, ransomware actors’ interest in ESXi as a target will continue to grow.
school house

What Happens When a 
Virtual Machine Shuts Down?

Ransomware groups often attack ESXi servers by first gaining access using either an exploit or stolen credentials. Next, they shut down the virtual machines on that ESXi server, because they can’t install the ransomware while the virtual machines are still running. After that they install the ransomware, so that all of the virtual machines are encrypted and can’t be brought back up.
What happens when a virtual machine shuts down? Who gets the notification? Given the increased interest in ESXi servers by ransomware groups, Security Operation Centers (SOCs) should be getting notified when all of the virtual machines start shutting down on an ESXi server. The alert should be a high-priority one and the SOC must act on it immediately. If the notification of shutdown is sent to the SOC and they can stop the attack in progress, there’s a good chance they can prevent the ransomware attack from succeeding.

Exploitation vs. Phishing 
and RDP Attacks

Today, depending on who's doing ...

... the reporting, either phishing or credential stuffing/reuse attacks against RDP are the most common way for ransomware actors to gain initial access. These attack methods aren’t going away any time soon. In fact, phishing attacks increased during the COVID-19 pandemic and show no signs of slowing down.
However, with many organizations going back to work in offices, the number of Internet-facing RDP servers has decreased (as is noted on the "RDP and Other Remote Login Attacks" page). And that number will likely continue to decrease, especially as more organizations become aware of the risk associated with having these servers so easily accessible.

There will still be a place for ...

... credential stuffing/reuse attacks. There are plenty of other Internet-facing systems that IABs or ransomware actors can target with these attacks, but you should expect to see the continued growth of exploitation as a means of initial entry. The IAB market is more professionalized than it was just a couple of years ago. Plus, just as ransomware groups have more money than ever before, IABs have enjoyed a steady stream of income for the past couple of years. This has allowed them to invest heavily in improving their ability to exploit vulnerable systems.
As of mid-July 2021, 33 zero-day vulnerabilities were known to have been exploited in the wild. That’s more than the 25 in all of 2020. Zero-day vulnerabilities used to be the domain of state-sponsored actors, but that’s no longer the case.

Exploitation and Managed 
Service Providers

Ransomware groups are increasingly interested in managed service providers (MSPs) as a method of delivering ransomware. This is natural because MSPs have access to a lot of client data and often have direct access into client networks. Most ransomware attacks involving MSPs primarily involve encrypting client data in an effort to force the MSP to pay the ransom (or, as discussed in on the "The Importance of Cryptocurrency, RaaS, and the Extortion Ecosystem" page, contacting the clients of the MSP to get the clients to encourage the MSP to pay).

But there's both a history of and growing ...

... interest by ransomware actors in using the MSP to deliver the ransomware. This is what happened when TSM Consulting was used to deliver ransomware to 22 towns and cities in 2019. Also, in 2019 MSPs used tools from Webroot and Kaseya to deliver ransomware. A Kaseya incident from 2021 will be discussed in depth in the next section.
MSPs rely heavily on remote monitoring and management (RMM) to manage their client networks. RMM tools are incredibly useful for managing networks. They allow the MSP to remotely install new patches, make configuration changes, and install new software to a lot of clients simultaneously. RMM tools are also very useful for troubleshooting and fixing problems.
One of the reasons why MSPs are so attractive to ransomware groups is that RMM is also a convenient way for threat actors to push their ransomware to many victims across multiple organizations simultaneously. That’s one of the reasons that ransomware groups gained access to more than an estimated 100 MSPs in 2019 and even more in 2020. MSPs will continue to be an attractive target to ransomware groups, especially when the MSP attack can be combined with a zero-day exploit, as seen in the Kaseya ransomware attack that occurred in early July 2021.

Ransomware and 
Zero-Day Exploits

On July 2, 2021, an incident responder from the incident response (IR) firm Huntress Labs posted on Reddit that they were tracking a “Critical Ransomware Incident in Progress.” As urgent as the phrase sounds, it was actually a bit of an understatement. The ransomware attack targeted MSPs that had Internet-facing instances of the Kaseya Virtual System Administration (VSA) software running and used the VSA software to deliver the REvil ransomware to clients of the compromised MSPs .

As many as 60 MSPs, up to 2,000 customers, and potentially tens of thousands of computers ...

... were affected by the ransomware. It was the largest attack since the WannaCry and NotPetya attacks in 2017. REvil, or one of its affiliates, were so successful because they managed to exploit a previously unknown vulnerability in the Kaseya VSA software—in other words, a zero-day.
The vulnerability, now known as CVE-2021-30116, had actually been reported to Kaseya and the company was working on patching it. It just wasn’t fast enough. Whether REvil uncovered the vulnerability themselves or purchased it from an unethical researcher isn’t known at this time. Either way, the attack represents a concerning trend in the development of ransomware, and one that’s likely to get worse.

The market for zero-days used to be ...

... wide open, but in recent years it has become largely the domain of state-sponsored groups. Cybercriminals, especially IABs and ransomware groups, are investing their money in finding and weaponizing vulnerabilities faster and with fewer errors. This allows them to move faster than the organizations they’re attacking can defend against the attacks. Ransomware groups will continue to use exploits to gain initial access.
While ransomware groups have the resources to hire malware researchers or to buy zero-day exploits from vulnerability researchers, that equation is starting to change. Ransomware groups are making a lot of money: In 2020, REvil claimed to have made more than $100 million and overall ransomware groups made at least $350 million. This means that ransomware groups have the means to buy exploits for zero-day vulnerabilities, and they seem very interested in doing so. Although Kaseya is one of the first ransomware attacks to exploit a previously unknown zero-day, it’s not the first to exploit known vulnerabilities that hadn't been exploited previously. In April 2021 it was reported that the HelloKitty ransomware was exploiting a known vulnerability in the SonicWall Secure Mobile Access (SMA) VPN appliances, CVE-2019-7481. Although the vulnerability was known, it had not been exploited previously.
As ransomware groups continue to grow more sophisticated, expect continued interest in zero-day exploits targeting software that will allow the ransomware group to target more victims. Anything that might provide them with a strategic advantage and allow them to recoup the cost will be of interest.

Practical Patching Advice

Ransomware groups have hundreds of IABs ...

... scanning for vulnerabilities and exploiting them to turn around and resell for ransomware deployment. These threat actors are just one of many cybercriminal types looking to exploit these devices. This doesn’t take into account state-sponsored groups doing the same thing, potentially at an even larger scale.
How can organizations protect themselves? It seems that any little mistake could result in an Internet-facing system being compromised and attacked by ransomware. Even organizations that get everything right could get hit with a zero-day exploit, and those can’t be defended against, right?

First, it's important to effectively manage risk.

The diagram at the top of this page lists 30 well-known vulnerabilities across 13 technologies that ransomware groups are actively exploiting, in contrast to the single zero-day vulnerability exploited to date. Yes, ransomware groups may be looking to exploit zero-day vulnerabilities, but the bigger threat is absolutely from well-known vulnerabilities. Defending against those is going to protect you from the vast majority of ransomware attacks that rely on exploitation as the initial access vector.
Organizations need to do all of the following to effectively protect themselves from exploitation by ransomware groups:
Asset management
Responsive patching
Monitoring high-risk devices

Responsive Patching

Even large organizations that have dedicated vulnerability management teams have trouble managing a patching program. The number of different systems and software running in an organization of any size has grown geometrically, and along with that so has the number of vulnerabilities. The chart below shows the number of vulnerabilities through August of 2020 and 2021 published in the National Vulnerability Database. In 2020, the number of vulnerabilities during that time period was 12,369, of which 341 were labeled Critical. During the same time period in 2021, the number was 12,917, of which 288 were labeled Critical.
Comparing vulnerabilities from January to August 2020 and 2021 (source: National Vulnerability Database)

That's a lot for any organization to ...

... manage and explains why it often takes months to patch even critical vulnerabilities. Therefore, you should prioritize patching based on the impact to your particular organization, not the CVSS score. A vulnerability affecting an Internet-accessible system should be prioritized over other vulnerabilities, even if it has a lower score. Vulnerabilities that are confirmed to be in use by ransomware groups should be patched immediately.

The next group to be patched includes ...

... vulnerabilities affecting internal systems that are often targeted by ransomware groups, such as Active Directory, Exchange (if not exposed to the Internet), and ESXi. That doesn’t make them any less important; there’s simply a little more time to get to these systems, especially if the perimeter is properly secured.
A lot of great information is available from the Cybersecurity and Infrastructure Security Agency (CISA)and other sources about which technologies and vulnerabilities are being exploited by ransomware groups. Subscribing to those sources and using them to help prioritize patching will help keep an organization more secure.

Monitoring High-Risk Devices

Despite your best efforts, it is possible to ...

... miss a patch or to patch a system after the ransom-ware group has exploited it. That’s why it’s so important to log as much information as possible from these high-risk devices and monitor them closely. Many exploits are noisy and leave a lot of traces in the logs. If the exploit doesn’t reveal itself on its own, the ransomware actors are often clumsy as they start to conduct reconnaissance and leave traces behind.
The ransomware groups are counting on logs from the systems being unmonitored or Security Operations Centers (SOCs) not responding to alerts in a timely fashion. Unfortunately, that gamble usually proves to be correct. Every network-based system has different logs and differ-ent ways of hunting for a potential intrusion, so outlining exactly what to do here would be difficult. Organizations should work closely with their vendors to understand what should be logged and how the SOC can look for indicators of an intrusion in those systems. Vendors are more than willing to help organizations get this monitoring up and running, to ensure that their products are not the cause of a breach.

Of course, alerting and acting are two different things.

It’s not enough just to send an alert about a potential intrusion. The SOC must have the ability to act quickly when these alerts hap-pen, which may include the ability to order the device shutdown temporarily, even if that may disrupt the business. This is  discussed more on the "Threat Hunting for Ransomware" page.
Exploitation for initial access by ransomware groups is a growing problem that all organizations need to worry about. While zero-day exploits may get the headlines, the bulk of ransomware attacks using exploitation as the initial attack vector will take advantage of well-known vulnerabilities. By prioritizing patching of vulnerability in software and technology that ransomware actors actively target, organizations can better protect themselves from this one initial access vector.

If You Enjoyed That... 

Check Out The "Go-To" Ransomware Resource. The 437 Page Book Ransomware: Understand. Prevent. Recover.  
- Second Edition

GET IT HERE
Ransomware Book 2nd Edition 2023

Download The 
"How To Prevent Ransomware"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "How To Prevent Ransomware" resource on your site or blog using this code.

Share this Image On Your Site

Download The 
"Ransomware Backup Strategy"
Cheat Sheet

Grab this free PDF resource on how to prevent Ransomware
DOWNLOAD THE PDF

Share This Resource With Others

Embed The "Ransomware Resistant Backup Strategy" resource on your site or blog using this code.

Share this Image On Your Site

Want More?

This site is adapted from a book on Ransomware. 
If you would like to learn more keep reading...
READ MORE ABOUT THREAT HUNTING FOR RANSOMWARE
Label
© Future US LLC, Full 7th Floor, 130 West 42nd Street, New York, NY 10036
envelope linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram