Exploitation as an initial entry attack vector is becoming more popular among ransomware threat actors. While it’s impossible to know the full picture, as recently as 2019 exploitation accounted for initial entry in only 5% of ransomware attacks. Most cyberattackers find it easier to use social engineering—for instance, to send a phishing email message to an employee of a targeted organization—or break user passwords than to look for software flaws that permit entry. Using a software flaw to gain entry to a network is called exploitation. 2020 and 2021 have seen dramatic changes, with exploitation accounting for initial entry in almost 20% of ransomware attacks in the first quarter of 2021. As with all ransomware statistics, it’s impossible to know the full picture, but general trends show that exploitation is becoming more popular as an initial entry attack vector.
This makes sense. Ransomware groups and their affiliates have gotten increasingly sophisticated and more comfortable with developing and using exploits. This was perfectly illustrated by the timeline for the ZeroLogon vulnerability (CVE-2020-1472) shown in the image below. Microsoft announced the vulnerability on Aug. 11, 2020 (T1). ZeroLogon is an elevation of privilege vulnerability in the NetLogon process that could give an attacker access to an organization’s Active Directory Domain Controller. Active Directory plays an important role in manual ransomware attacks, so an exploit that allowed ransomware groups access to Active Directory was inevitably going to be adopted by ransomware groups. The ZeroLogon exploit is used during the reconnaissance phase of the ransomware attack, but these same trends apply to initial access exploits used by ransomware groups and their Initial Access Brokers (IABs).
Timeline from announcement of the ZeroLogon vulnerability to the use by a ransomware actor (Image courtesy of Recorded Future)
By Sept. 16 a proof of concept (PoC) exploit had been released (T2). The first reports of a ransomware actor using the exploit against the vulnerability came on Oct. 20 (T3)—just over two months from the announcement of the vulnerability (and likely a lot sooner, because there’s usually a delay between a tool’s use in an attack and the first report of its use). This pattern has repeated itself over and over again in 2020 and 2021. A new vulnerability is discovered, sample exploit code is released, and ransomware groups pick up on it almost immediately. One example of this is CVE-2021-22005, a remote code execution (RCE) vulnerability in VMware vCenter. The vulnerability was reported on Sept. 21, 2021. By Sept. 22, threat actors were already scanning for vulnerable systems, and by Sept. 28 there was a working exploit that the ransomware group and other threat actors were using to gain access to vulnerable systems.
It’s the ransomware resource you can’t afford to be without. 437 Pages of ransomware know-how. Stay ahead of the cybercriminals: get your copy now!