Patterns and Targets for Ransomware Exploitation of Vulnerabilities: 2017–2023

Recent Insikt research analyzes ransomware and vulnerability trends spanning the past six years and offers insights into future expectations.

Ransomware groups exploit vulnerabilities in two distinct categories: those targeted by only a few groups and those widely exploited by several. Each category necessitates different defense strategies. Groups targeting specific vulnerabilities tend to follow particular patterns, enabling companies to prioritize defenses and audits. To defend against unique exploitation, understanding the likely targets and vulnerability types is crucial.

Diagram showing the number of ransomware groups that have been associated with vulnerability exploitation in the last five years. By “one group”, for example, we mean that only one group has been reported to have exploited a vulnerability (Source: Recorded Future)

Widely exploited vulnerabilities are found in commonly used enterprise software and are easily exploited through various means like penetration testing modules. The vulnerabilities that have been most targeted by ransomware operators can all be easily exploited via penetration testing modules or single lines of code. Defending against such exploits involves promptly patching vulnerabilities, monitoring security research for proofs of concept, and observing criminal forums for references to tech stack components rather than specific vulnerabilities.

Some ransomware groups focus on exploiting three or more vulnerabilities, providing clear targeting patterns for defenders. For instance, CL0P has targeted file transfer software from Accellion, SolarWinds, and MOVEit. Most targeted vulnerabilities are in widely used enterprise software and can be exploited easily. Vulnerabilities requiring unique vectors are typically exploited by only a few groups.

Based on a review of the higher-level categories that vulnerabilities fall into, we are confident that if a vulnerability is only exploited by one group, it likely requires a custom-built package (a compressed file or application data, for example) and cannot simply be abused via a few lines of code.

Across all vulnerabilities exploited by ransomware operations, five stood out as those that garnered the most threat actor attention, having been exploited by the highest number of individual ransomware threat actors. These vulnerabilities are ProxyShel, ZeroLogon, Log4Shell, CVE-2021-34527 — which affected Microsoft enterprise products such as Exchange, Netlogon, and Print Spooler — and CVE-2019-19781, which affected Citrix software. Microsoft’s dominance here is unsurprising: As we have identified in previous reports, Microsoft is regularly the vendor most affected by zero-day exploitation and by ransomware overall, as about 55% of the vulnerabilities exploited by three or more groups were in Microsoft products.

The top five vulnerabilities also proved highly popular in the wider threat landscape once disclosed due to factors such as the high impact in terms of access or control over systems and the ubiquity of the affected software. For instance, nation-state groups and other non-ransomware cybercriminals were repeatedly observed targeting these vulnerabilities as part of their intrusion operations.

Ransomware operators and affiliates seldom discuss specific vulnerabilities, but the broader cybercriminal ecosystem identifies and discusses publicly known vulnerabilities and potential targets for exploitation.

Mitigation Strategies

Based on the findings and assessments above, we consider the following to be the most effective defenses against ransomware operators’ exploitation of vulnerabilities:

• Unless necessary, ensure that devices and networks cannot receive incoming requests over HTTP/S. The highest-volume ransomware exploitation of vulnerabilities shows a clear preference for critical vulnerabilities that can be exploited via a few lines of code against devices that can receive HTTP/S requests. We found this to be particularly true in the case of path traversal vulnerabilities.
• Monitor security researcher articles, blogs, and code repositories for references to simple exploit syntax based on HTTP/S requests. This information can be used to set up detections for exploit attempts against devices that need to remain publicly accessible.
• For ransomware groups of concern, identify whether and where such groups have uniquely targeted vulnerabilities to build a profile of most likely targets, both in terms of products and vulnerability types.
• Patch widely exploited and critical vulnerabilities as fast as possible. Dwell time statistics demonstrate that ransomware groups can exploit victims’ vulnerable infrastructure over three years after a vulnerability’s disclosure.
• Don’t use criminal forum monitoring as a reliable way to identify ransomware groups’ interest in specific vulnerabilities since these groups rarely discuss such vulnerabilities. Additionally, don’t rely on alerts of criminal mentions of CVE identifiers, since criminals usually discuss CVE identifiers only after exploitation has occurred. Instead, monitor for criminal discussions of vendors and products of concern.

Looking ahead to 2024, advancements in generative AI may lower the technical barrier for cybercriminals, facilitating the exploitation of more zero-day vulnerabilities. Major vendors like Google and Apple may become targets of ransomware campaigns, which were previously immune to such threats. Additionally, a potential rebound in cryptocurrency value might shift extortion groups' focus towards crypto wallet theft from vulnerability research.

To read the entire analysis, click here to download the report as a PDF.

Note: This report summary was first published on February 8, 2024 and has been updated on October 30, 2024. The original analysis and findings remain unchanged.