Vulnerability Management Blog

Ransomeware is Not the Problem

Ransomware is all the rage. If you see a cyber security story in the New York Times, Washington Post, CNN, etc. there’s a much better than even money chance it's about a ransomware attack. The reason? I can’t say for sure, but I have a theory. Ransomware stories have the single most important attribute of any subject matter for a journalist: they’re understandable. Writing a story about a complex corruption scheme involving shell corporations, money laundering, international currency exchanges, and the subtleties of corporate tax evasion is not only difficult, but the audience for such narratives is limited. Ransomware is the antithesis of a convoluted corporate corruption feature story. Everyone who’s ever watched an episode of Law and Order understands extortion. Give me money or you lose access to your data forever (or I expose it to the public). Easy to understand, and even easier to describe in 200 words or less.

I forgive journalists and the average news consumer, but we in the infosec community should know better. Concern about ransomware in the battle against threat actors is tantamount to being concerned about a fever in the battle against Covid. No one from the CDC is on television imploring the population to take measures to stop the spread of fevers. Covid-19 is the problem. Coughing, fever, body aches, respiratory distress are all symptoms of the virus. Stop the virus, and we stop the symptoms. 

I really wish we all viewed cyber security with the same appreciation for the concept of root cause as does the medical community.  We treat ransomware like it’s an autonomous attack vector, when we all know it’s just a currently popular means for cyber criminals to monetize successful breaches. Returning to our Covid metaphor, ransomware is the symptom.  The breach itself is the virus.  Prevent the breach, and you prevent the ransomware.

So, what are the most popular and dangerous breach mechanisms? How do the bad guys get on the network in the first place, the first step in any ransomware attack?  Excluding malicious insider incidents, nearly all breaches originate either via a phishing attack, or the exploitation of a software vulnerability.  Estimates vary on which vector is responsible for a higher percentage of attacks, but a recent Ponemon study that found “60% of breaches were linked to a vulnerability where a patch was available, but not applied.” It’s difficult to nail these figures down since enterprises are hesitant to disclose the details of breaches they’ve suffered…

Or are they?

I wasn’t so sure, so I conducted a quick experiment.  I tried to find as many ransomware stories as possible in a given amount of time, and then identify the initial breach mechanism for each, if available.  I found 11 ransomware stories in a few hours, 3 of which identified phishing as the initial attack vector, while I could find no evidence of an initial breach mechanism for the other 8 incidents.  The table below summarizes the ransomware stories I reviewed.

Ransomware Attack

Initial Breach Mechanism

Grubman Law Firm

None made public

Travelex

None made public

Magellan Health

Phishing

City of Baltimore

None made public

City of Albany

None made public

City of Loredo

None made public

Norsk Hydro

Phishing

New Orleans

None made public

Riviera Beach, Fl

Phishing

New Bedford, Mass

None made public

Lake City, Fl

None made public

 

What first struck me was that the results of this admittedly non-scientific survey are inconsistent with the Ponemon survey quoted previously…

Or are they?

The Ponemon study suggests that half or more of the ransomware breaches should be attributable to the exploitation of a vulnerability, but exactly zero were.  Curiously, however, in 72% (8 of 11) of the cases, the victimized organization declined to disclose an initial breach mechanism, while in every case in which a breach mechanism was voluntarily identified, phishing was the culprit. 

Upon further reflection, this limited data sample makes complete sense.  If you’re an organization whose data has been taken hostage, would you be enthusiastic about publicly attributing the root cause of your misery to an existing vulnerability on your network that you failed to remediate?  Probably not.  That sounds too much like taking responsibility for failing to address something ostensibly within your control.

On the other hand, if you can trace your ransomware attack to a careless employee making a poor decision to click on a phishing email link, you’ve just hit the accountability jackpot.  The organization can trot out their phishing email training program (which are largely ineffective) receipts, chalk it up to employee negligence, and comfortably assume the role of helpless victim.

Clearly, we can’t prove that the 8 ransomware attacks reviewed for this blog that did not disclose the initial breach mechanism originated with attacks on unpatched vulnerabilities, but it does imply that vulnerability-initiated ransomware attacks are significantly more prevalent than might otherwise be perceived by consuming ransomware news articles.  A paragraph in a recent Dark Reading article about the Netwalker ransomware tool kit highlights the strong probability that vulnerabilities are behind a substantial percentage of ransomware attacks:

...the strategy being used by the Netwalker attackers to gain an initial foothold on an enterprise network remains unclear. But the tools suggest they have the ability to take advantage of heavily publicized vulnerabilities in Windows and other environments to break into vulnerable networks.”

Whether this vulnerabilities/ransomware hypothesis is legitimate or not, the focus on the threat posted by ransomware could really use some perspective. At one point, the best approach to minimizing the risk of a successful ransomware attack was to deploy a robust data-backup function. Increasingly, however, attackers are combining good old-fashioned data exfiltration with ransomware, so even if victim organizations have backed up their data and have therefore no motivation to pay the attackers for access, the attackers are free to sell or make public the victim’s data, maintaining some degree of leverage.

As simply the latest, in-vogue means of monetizing a compromised network, ransomware is not a new or exotic form of cyber-attack that screams for a wholesale security paradigm shift. It’s easy to understand, and is delivered to the popular press with built-in drama, so it’s a high profile technique.  But let us in the infosec community never forget that ransomware is the newest symptom of an old disease, the same one we’ve been battling for decades.

Most Recent Related Stories

Automating Threat Intel with Machine Learning: Extracting the Underlying Concepts from Underground Discussions and OSINT

Read More

Delve Product Update - June 2020

Read More

Assembling IKEA Furniture, Vulnerability Management, and Intelligent Prioritization

Read More