{"id":50839,"date":"2023-03-02T00:00:00","date_gmt":"2023-03-02T00:00:00","guid":{"rendered":"urn:uuid:53be06d0-2fc9-2665-e3e8-55262ae4a21d"},"modified":"2023-03-02T00:00:00","modified_gmt":"2023-03-02T00:00:00","slug":"leveraging-data-science-to-minimize-the-blast-radius-of-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/leveraging-data-science-to-minimize-the-blast-radius-of-ransomware-attacks\/","title":{"rendered":"Leveraging Data Science to Minimize the Blast Radius of Ransomware Attacks"},"content":{"rendered":"

<\/p>\n

<\/div>\n
\n
\n

The CVEs used by the top five groups varied in severity (Figure 2), though most of these CVEs had a score of at least 7.2 on the Common Vulnerability Scoring System (CVSS). As Figure 3 shows, the bulk of these vulnerabilities were exploited as a means of privilege escalation at 54.3%, followed by those for remote code execution (RCE) at 17.4%.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Vulnerabilities exploited by the top five ransomware groups<\/span><\/h2>\n

CVE-2021-30119<\/a>, which has the lowest CVSS score of 3.5, is an authenticated and reflected cross-site scripting vulnerability in Kaseya VSA products that REvil exploited in July 2021<\/a>, along with CVE-2021-30116<\/a> and CVE-2021-30120<\/a>, as part of its supply-chain ransomware attack on managed service providers.<\/p>\n

Meanwhile, the RCE vulnerabilities CVE-2018-15982<\/a> and CVE-2020-0609<\/a> ranked the highest in severity, both with a 10 CVSS score. Reports emerged in 2020<\/a> of Egregor possibly exploiting CVE-2018-15982, an Adobe Flash Player vulnerability. The historic Conti ransomware group used CVE-2020-0609 \u2014 a vulnerability affecting Windows Remote Desktop Gateway \u2014 as a means of gaining initial access<\/a> into victims\u2019 systems.  <\/p>\n<\/p><\/div>\n<\/p><\/div>\n

\n
\n

Building defenses to the left of the ransomware kill chain<\/span><\/h2>\n

These findings suggest that cybersecurity teams can defend their organizations from the most active ransomware groups by focusing on patching RCE and privilege escalation vulnerabilities. More importantly, these results demonstrate that analyzing CVE data to determine where vulnerability exploits factor in the cyber kill chain can prove useful for defenders by providing them with information about a particular ransomware group\u2019s technical capabilities and preferred targets.<\/p>\n

This knowledge also makes them better equipped to make informed decisions and set priorities regarding patch management, especially for vulnerabilities that are exploited in the early stages of an attack, such as weaponization, delivery, and exploitation. Preventing attackers from getting a foothold in an organization\u2019s system via initial access vulnerabilities, for example, would cut short their opportunity to exploit lateral movement vulnerabilities entirely.<\/p>\n

Examining ransomware ecosystems from as many angles as possible using disparate information sources, including CVE data, is essential for security teams to shift left in the cyber kill chain. By detecting and mitigating attacks long before they reach the encryption and data exfiltration stages, organizations can minimize the impact of ransomware attacks.<\/p>\n

The increasing sophistication of modern ransomware attacks necessitates a holistic defense strategy on the part of both organizations and end users, who should keep their systems up to date with the latest patches to mitigate the risk of ransomware infection and stay vigilant by enforcing the following security best practices: <\/p>\n