Alert Logic has analyzed 240 popular pieces of ransomware released in the last few years and found that the majority infect through phishing attacks. During this analysis, we discovered that the nine worst kinds of ransomware additionally propagate via common vulnerabilities.
The first line of defense should always be vendor patches. When those cannot be implemented and for additional protection, Alert Logic recommends using logical segmentation to mitigate seven of these common types of ransomware.
This article provides information on the nine worst types of ransomware and which common vulnerabilities (CVEs) they exploit, as well as how to add further protection for several of these types of ransomware where additional mitigation efforts can be effective.
Common Ransomware and the CVEs They Exploit
The following table highlights the nine types of ransomware and the CVEs they exploit.
Ransomware |
Year |
CVEs exploited |
How the exploit works |
Buran/Zeppelin
Kraken Cryptor |
2019
2018 |
CVE-2018-8174 |
Drive-by Code execution in Windows Internet Explorer VBScript engine |
Cerber |
2016 |
CVE-2017-0199 |
Exploit when opening MS Office RFT documents |
Matrix |
2017 |
CVE-2016-0189
CVE-2015-8651 |
Drive-by Code Execution in Windows Internet Explorer Jscript and VBScript engines
Drive-by Code Execution in Adobe Flash Player |
Ragnarok |
2019 |
CVE-2019-19781
CVE-2017-0144 |
Remotely exploitable Buffer overflow in Citrix ADC
Microsoft Windows “EternalBlue’, lateral spread once inside the firewall via Windows Filesharing protocol (SMB) |
RobbinHood |
2019 |
CVE-2018-19320 |
Windows privilege escalation allows system-level encryption when executing in user space |
Satan |
2017 |
CVE-2017-10271
CVE-2017-0143 |
Oracle WebLogic - Fusion Middleware, exploitable via http over the Internet without user interaction
Microsoft Windows “EternalBlue’, lateral spread once inside the firewall via Windows Filesharing protocol (SMB) |
Sodinokibi/REvil |
2019 |
CVE-2019-2725 |
Oracle WebLogic - Fusion Middleware, exploitable via http over the Internal |
WannaCry |
2017 |
CVE-2017-0143 |
Microsoft Windows “EternalBlue’, lateral spread once inside the firewall via Windows Filesharing protocol (SMB) |
Additional Mitigation Through Logical Segmentation
Several of these types of ransomware can be additionally protected against through use of logical segmentation. Use the following practices to layer additional protection.
- WannaCry, Satan, and Ragnarok all spread via the EternalBlue exploit of inbound SMBv1. To mitigate these:
- Block all inbound SMB requests from the internet. Firewalls do this by default.
- Block all outbound SMB requests to the internet. There is (almost) never a good reason to connect to anything on the internet via SMB. Outbound SMB is a favorite way to steal Windows credentials (examples: SFO Breach March 2020, Zoom vulnerability) and is typically enabled by default on firewalls.
- Block all inbound SMB requests to all non-servers, such as workstations and laptops.
- Block all SMB connections between servers internally using the principle of least privilege.
- Satan and Sodinokibi/REvil spread via HTTP exploit of Oracle WebLogic servers over the internet. To mitigate these:
- If possible, remove any Oracle WebLogic servers from the public internet. Otherwise restrict access to a few trusted partners, using IP whitelisting and/or VPN.
- Protect your Oracle WebLogic servers with a web application firewall (WAF) in blocking mode.
- Ragnarok also spreads via a Buffer Overflow in Citrix ADC and can be exploited over the internet. To mitigate this:
- Protect your Citrix services with a WAF.
- Block non-critical internal access to the Citrix servers.
- Matrix, Bhuran/Zeppelin, and Kraken/Cryptor infects via drive-by browser exploits. To mitigate these:
- Use a web-filter or proxying outbound firewall to block these attacks when employees browse the internet.
Comments
0 comments
Please sign in to leave a comment.