With most employees still working from remote locations, ransomware attacks have increased steadily since the early months of the Covid-19 pandemic. According to the FBI’s 2020 Internet Crime Report 2400+ ransomware-related incidents in 2020 resulted in a loss of about 29 million dollars. These numbers are only getting worse and do not include damage from incidents not reported to the FBI.
Ransomware attacks affect various industries worldwide, and ransomware demands continue to increase. Some recent examples include:
As seen above, industries ranging from education, manufacturing, electronics, research, health and more are impacted by ransomware.
To help organizations combat risks from ransomware, Qualys is introducing Ransomware Risk Assessment service. As outlined in our blog, the Qualys Ransomware Risk Assessment & Remediation service leverages the security intelligence which is curated by Qualys Research experts to map ransomware families to specific vulnerabilities, misconfigurations, and vulnerable software. The Qualys Ransomware Risk Assessment service enables organizations to:
Although cyber criminals use a variety of techniques to infect victims with ransomware, the most common means of infection are:
As mentioned above known vulnerabilities and weakness are one of the top infection vectors.
Qualys research team has performed extensive research on 36 prevalent ransomware families and have mapped them to 64 CVEs and the 247 QIDs that can detect them. The following is just a sample list of some of most widely used ransomware in the attacks along with the CVEs leveraged to infect systems.
Ransomware | Description | CVE (s) | QID (s) |
---|---|---|---|
Conti | The Conti ransomware strain will not only encrypt important files but will also exfiltrate them to a location controlled by the attacker. This method of extortion-ware is used to force victims to pay the ransom in order to avoid the sensitive data from being leaked. Conti operators are known to use well-known hacking tools such as Mimikatz and Cobalt Strike leading up to the encryption of files | CVE-2020-1472, CVE-2021-34527, | |
CVE-2017-0143, CVE-2017-0144, CVE-2017-0145 | 91680, | ||
91668, | |||
91785, | |||
91345, | |||
91360 | |||
Teslacrypt, PrincessLocker | TeslaCrypt ransomware was uploaded to VirusTotal in November 2014 but was more widely spread in early 2015 and continues to evolve. TeslaCrypt encrypts the files using AES-256 algorithm until the victim pays the ransom in either Bitcoin or Cash Cards. | CVE-2013-2551, CVE-2015-8651 | 168351, 168350, 124422, 168341, 168340, 100271, 124421 |
Locky, Cerber | Cerber ransomware is ransomware-as-a-service (RaaS), meaning an attacker can distribute the licensed copy of this ransomware over the internet and pay commissions to the developer. | CVE-2016-1019 | 256924, 256922, 177873, 176784, 296029, 296028, 170815, 170724, 170711, 170365, 256256, 170264, 236438, 170119, 256214, 170052, 276628, 236342, 157445, 169942, 169941, 169923, 276572, 169854, 169853, 176004, 196742, 196725, 370320, 276455, 175965, 168848, 168813, 168792, 168696, 168694, 168594, 100282, 124879, 124872 |
WannaCry, Badrabbit | The WannaCry ransomware — formally known as WanaCrypt0r 2.0 — spreads using an exploit called EternalBlue for a Windows OS vulnerability that Microsoft patched in March 2017. | CVE-2017-0145 | 91361, 91360, 91359, 91347, 91345 |
DearCRy, BlackKingdom | DearCry takes advantage of compromised Microsoft Exchange Servers with vulnerability CVE-2021-26855. When exploited, cybercriminals gain initial access to the Exchange Server and then install web shells. | CVE-2021-26855 | 50107, 50108 |
It is a daunting task to get a unified view of multiple critical ransomware exposures together such as internet-facing vulnerabilities, misconfigurations as well as unauthorized software. Qualys Ransomware Risk Assessment & remediation service dashboard enables security teams to see all the internet-facing assets that are exposed to ransomware related vulnerability or misconfiguration and take needed actions in the most impactful way. It also enables users to measure and track their effectiveness at addressing vulnerabilities or misconfigurations before they are used for ransomware attacks.
In addition, organizations should implement a good cyber hygiene program to scan vulnerabilities, discovery misconfigurations regularly with sufficient detection capabilities such as QIDs enabled, as well as an efficient automated process to deploy important security patches on targeted assets quickly with the scalability needed.
Qualys provides an all-in-one solution to discover, assess, prioritize, monitor, and patch critical vulnerabilities in real time and across your global hybrid-IT landscape. The following sections provide an overview of each of the critical components from Qualys product portfolio and how they can be uniquely valuable in the effort of combatting ransomware attacks.
Enables organizations to automatically discover every asset in their environment, including unmanaged assets appearing on the network, inventory all hardware and software, and classify and tag critical assets.
It is important to know your blind spots to protect against ransomware. Use CSAM to discover all assets, including the ones that are exposed to the internet as well as unknown/unmanaged assets that are connecting to your network.
CSAM automatically organizes your assets by their functional category by analyzing their hardware and installed software. Extends your inventory by incorporating key business information from your CMDB, such as status, environment, ownership, support groups, and business criticality.
CSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools.
CSAM enriches your asset inventory with in-context, relevant information to help you detect at-risk assets and applications. You can identify and set alerts for assets that are running unauthorized software or are not using anti-virus/endpoint security tools.
The first step in managing vulnerabilities and reducing risk is identification of assets. Qualys VMDR makes it easy to identify systems with open ports. For example, hosts with Remote Desktop Protocol (RDP) enabled.
operatingSystem.category1:Windows
and openPorts.port:3389
Once the hosts with RDP are identified, they can be grouped together with a ‘dynamic tag’, let us say – “RDP Asset”. This helps in automatically grouping existing hosts with this vulnerability as well as any new hosts that spin up in your environment. Tagging makes these grouped assets available for querying, reporting and management throughout the Qualys Cloud Platform.
Now that hosts with “RDP” are identified, you want to detect which of these assets have flagged this vulnerability. VMDR automatically detects new vulnerabilities like Windows RDP, Exchange Server vulnerability and more based on the always updated Knowledgebase.
You can see all your impacted hosts for this vulnerability tagged with the ‘Ransomware asset tag in the vulnerabilities view by using this QQL query:
vulnerabilities.vulnerability.threatIntel.ransomware: true
Or
vulnerabilities.vulnerability.ransomware.name:WannaCry
This will return a list of all impacted hosts.
Using VMDR prioritization, the ransomware vulnerabilities can be easily prioritized using “Ransomware” Real-Time Threat Intelligence:
VMDR also enables you to stay on top of these threats proactively via the ‘live threat feed’ provided for threat prioritization. With ‘live feed’ updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats.
Simply click on the impacted assets for the “Ransomware” feeds to see the vulnerability and impacted host details.
Qualys provides the ability for a Unified Dashboard approach with the key metrics across all Apps providing key metrics against your overall security posture against Ransomware Related data points such as:
The Unified Dashboard enabled you to track your ransomware exposure, against impacted hosts, their status, and overall management in real-time.
Qualys Policy Compliance provides the Ransomware Best Practices policy which contains the critical controls mapped to MITRE ATT&CK mitigations and tactics recommended by CISA and best practices published by Fireye Mandiant. These mitigations are effective across top techniques and can potentially reduce the risk of ransomware attacks. These critical controls can limit attacker initial access and the lateral movement around the network.
As organizations look to prevent the attacks from happening in the first place, security teams should focus on implementing these controls proactively and effectively across all assets to reduce the risk. By automating the configuration assessment with Qualys Policy Compliance, organizations can ensure golden images to conform to security baselines and prevent images from ever having misconfigurations and identify configurations drifts to prevent security risks.
The Qualys internal research team has identified top five security measures and configuration controls; a security team should consider for their organization to prevent business interruption from a ransomware attack. Research is based on best practices published by FireEye (Mandiant), Cybersecurity and Infrastructure Security Agency (CISA), and CISA MS-ISAC. Policies/technical controls should be implemented. These configuration checks go beyond typical CIS or DISA benchmarks.
Qualys research has mapped misconfigurations to the relevant MITRE ATTACK techniques (summarized in the table below) to define 237 configuration checks across five security areas such as RDP hardening, user controls, network, protocol and port configuration security, share and password policies and software update policies, essentially helping organizations proactively prevent 20 attack techniques leveraged in ransomware attacks.
TTP Map
Initial Access (TA0001) | Credential Access (TA0006) | Privilege Escalation (TA0004) | Execution (TA0002) | Defense Evasion (TA0005) | Lateral Movement (TA0008) | Command and Control (TA0011) | Impact (TA0040) |
---|---|---|---|---|---|---|---|
Valid Accounts (T1078) | Brute Force(T1110) | Abuse Elevation Control Mechanism (T1548) | Scheduled Task / Job (T1053) | Impair Defenses (T1562) | Remote Services (T1021) | Non-Application Layer Protocol (T1095) | Data Manipulation: Transmitted Data Manipulation (T1565.002) |
Supply Chain Compromise (T1195) | Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002) | Inter-Process Communication (T1559) | Trusted Developer Utilities Proxy Execution (T1127) | Exploitation of Remote Services (T1210) | |||
Supply Chain Compromise: Compromise Software Dependencies and Development Tools (T1195.001) | Access Token Manipulation (T1134) | Remote Services (T1021) | |||||
Unsecured Credentials (T1552) | Remote Services: Remote Desktop Protocol (T1021.001) | ||||||
Remote Services: Remote Desktop Protocol (T1021.002) | |||||||
Remote Service Session Hijacking (T1563) |
To keep the ransomware vulnerability patches always up to date on your assets, we strongly encourage users to take advantage of Qualys Zero-Touch Patch that allows users to automatically patch new ransomware-related vulnerabilities which are actively used in attacks. Qualys Zero-Touch Patch enables businesses to patch and address at least 97% of the ransomware related vulnerabilities. Faster and at scale! For more information on Qualys automatic patch capabilities, refer to blog Automate Vulnerability Remediation with Proactive Zero-Touch Patch.
Following patch management best practices, using Qualys Patch Management, allows organizations to proactively remediate vulnerabilities related to ransomware and therefore minimize ransomware attacks in their environment. A simple and efficient way to use Qualys patch management to remediate ransomware related vulnerabilities is to leverage the VMDR prioritization report, as described in a previous section, this report can be used to detect assets with ransomware related vulnerabilities. The tight integration between Qualys VMDR and Patch Management allows customers to add those ransomware related vulnerabilities directly from the prioritization report into a patch job. The Qualys engine will automatically map the selected vulnerabilities to the relevant patches, in the customer’s environment, that are required to remediate the vulnerabilities. This will allow IT teams to focus on deploying those patch jobs without the need to worry about researching vulnerabilities and manually finding the relevant patches for those vulnerabilities.
Join the webinar, Combating Risk from Ransomware Attacks, to discuss the current state of ransomware and prevention techniques. Webinar October 21, 2021, at 10am Pacific. Sign up now!
Resources
<https://www.ic3.gov/Content/PDF/Ransomware_Fact_Sheet.pdf> <https://www.ic3.gov/Media/Y2019/PSA191002> <https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf>