DEV Community

Cdebrincat for ShiftLeft

Posted on • Originally published at blog.shiftleft.io on

How Faulty Software Development Allows Ransomware to Thrive

And how to prevent ransomware attacks

Photo by NeONBRAND on Unsplash

Ransomware is making headlines in 2021 due to a string of successful attacks against high-profile targets. Ransomware is not a new threat, but the technology and tactics behind recent attacks are exposing organizations to new dangers.

For example, traditional ransomware attacks simply encrypted the data on a target machine then extorted the victim to pay for a decryption key. Recent ransomware attacks not only encrypt data but exfiltrate it into the hands of the attackers. Kidnapping the victim’s data gives threat actors a new way to leverage payments from victims — blackmail. Cybercriminals may now threaten to release stolen data to the public if payment is not rendered.

The primary targets for ransomware have also changed over time. Before the advent of cryptocurrency facilitating a ransom payment from strangers was considerably more difficult. Legacy ransomware attacks were opportunistic, taking a scattershot approach to targeting and counting on a few users to prove vulnerable. Today’s advanced ransomware groups, like REvil, do not rely on luck. Modern threat groups are well-funded, technologically advanced predators who study their victims carefully before striking. Some threat groups are state-funded, placing the full power and resources of national governments behind their attacks.

It is easy to see why organizations are pessimistic about their odds of stopping attacks from advanced persistent threat (APT) groups. The adversaries have vast resources, incredible expertise, months or years to plan and choose the moment and location of the attack. How can a company hope to concede so many advantages and still prevail?

Since the current approach to ransomware is failing to protect businesses, it is time to entertain new ideas. One possible solution is for developers to focus on the target of 84% of all cyber attacks — the application layer. The current thinking among security professionals and the tech industry is that software will be vulnerable. Yet perhaps this mindset is ceding too much territory to threat actors unnecessarily.

Acer Attack

In March of 2021, the REvil threat group launched a ransomware attack against Acer, the Taiwanese electronics manufacturer. The attackers demonstrated the high-pressure tactics used by modern APT groups to force compliance from their victims. REvil demanded a ransom of $50million USD from Acer, but offered a 20% discount if the funds were surrendered quickly. Should Acer refuse to pay, the ransom would increase to $100 million USD eight days later. For further leverage, REvil posted an auction for the stolen Acer data on their leak site. If Acer refused to pay, REvil would sell their customer database and other sensitive internal data to the highest bidder.

The threat group demanded payment in Monero (XMR), a notoriously secure and untraceable cryptocurrency. The privacy token’s anonymity and security features are so strong the United States IRS is offering a $625,000 bounty to whomever cracks it.

Acer, like many businesses suffering a high-profile breach, was vague about how the ransomware attack succeeded. However, security experts analyzing the situation believe the attackers exploited a Microsoft Exchange server. On March 3rd, a couple of weeks before the attack, Microsoft released information on four known vulnerabilities affecting Exchange servers. Microsoft offered updates for the vulnerable servers, yet an estimated 80,000 Exchange servers were unable to apply the patch.

Kaseya Attack

REvil launched another ransomware attack on the global IT provider, Kaseya, on July 2nd, 2021. This attack unfolded as many American workers were out of the office, celebrating an extended Independence Day weekend. The threat group exploited a flaw in Kaseya’s virtual system administrator (VSA) software.

Many Kaseya customers are managed service providers (MSP) who provide IT services to other organizations and businesses. By compromising Kaseya’s VSA, used by multiple MSPs, the REvil group was able to launch downstream attacks on 800–1500 businesses The attack has been called one of the “largest criminal ransomware sprees” in history.

The total costs of the Kaseya attack are difficult to calculate, as they may ultimately include potential lawsuits, regulatory fines, and lost business. REvil demanded $70 million USD in ransom for the decryption keys. Kaseya claims to have refused to render payment and ultimately obtained a decryptor key through undisclosed means.

What left Kaseya and its customers open to such a catastrophic ransomware attack? Kaseya’s VSA had an authentication bypass vulnerability that allowed REvil to compromise the software and distribute malicious payloads. In other words, as with most cyberattacks, this one happened at the application layer.

The Costly Business of Reacting to Ransomware

There are some notable similarities in both the Acer and Kaseya attacks. Both begin with the ransomware group targeting the application layer, looking for new or recently disclosed vulnerabilities. The target companies presumably invest in various cybersecurity solutions, but none of their security tools prevented the attack. At best, the IT security funds spent by each company may have helped them detect and limit the scope of the attacks. This is the inevitable result of most companies spending considerable funds on general security services, infrastructure protection, and network security equipment. Yet the application layer, where most attacks are happening, receives little attention.

Reacting to ransomware attacks has proven to be both expensive and embarrassing for the unfortunate companies that have been breached. When REvil asked for $50 million USD from Acer it was a record-breaking ransom demand. The threat group topped themselves three months later by demanding $70 million USD from Kaseya. Yet even small to medium businesses, most of whom are attacked without making headlines, face an average ransom demand of $1.85 million USD.

Adding insult to injury, regulatory fines arising from privacy legislation like the European Union’s General Data Protection Regulation (GDPR) can be punishing. For example, organizations losing sensitive customer data may face a minimum fine of €10 million or 2% of their annual global revenue. For more severe breaches, the GDPR doubles the fines to €20 million or 4% of the annual global revenue, whichever is greater.

Some nations, like the United States, will punish anyone paying ransom to threat groups in violation of established trade sanctions. The US Treasury Department may levy fines of $300,000 or more against those caught sending funds to sanctioned nations. This fine applies to individuals or companies, even if they were unaware that the ransom would ultimately go to a forbidden location.

The loss of data and extortion attempt may seem like the worst part of a ransomware attack, but it is only the beginning. A single ransomware breach launches a company on the downward spiral of dealing with ransom demands, fines, lawsuits, and damage to its reputation. Given these compounding pressures, it is unsurprising that 20% of organizations hit by ransomware are driven out of business almost immediately.

Stopping Ransomware Before It Starts

Reacting to ransomware is an expensive and unreliable approach to maintaining security. All the cybersecurity solutions aimed at protecting endpoints, networks, and data were unable to stop REvil from demanding record-breaking ransoms in 2021. Software developers, however, can use advanced AppSec methodologies to proactively fix the flaws that APTs exploit.

For example, ShiftLeft offers next-generation static application security testing (NG- SAST) that identifies code vulnerabilities 40x faster than similar legacy tools. It boasts an accuracy rating nearly 3x greater than the industry average. By including capabilities like intelligent software composition analysis (SCA), ShiftLeft allows developers to discover vulnerabilities in custom and open-source code.

The speed and accuracy of NG-SAST have vastly improved upon the benefits of traditional SAST. Historically, a test could take hours to days to perform which discouraged teams from testing frequently. In a recent study of its users, ShiftLeft found that 46% of applications using NG-SAST are scanned at least weekly and 17% at least daily. Available reports from traditional tools indicate applications using older technology are scanned around 3.5% weekly and 0.3% daily.

Getting vulnerability information to developers shortly after their code is written is key to fixing issues quickly and efficiently. It also has the benefit of teaching developers to write code more securely in the future. The advantage of this approach is seen in Enterprise customers who integrated NG-SAST with their CI/CD pipeline and scanned applications at least weekly. These users fixed 91.4% of vulnerabilities within two sprints of their creation.

The current, reaction-based, cybersecurity approach to combating ransomware is clearly not working. It is time for companies to reimagine the battle for cybersecurity as beginning at the application layer, where the majority of attacks occur. Applications are the root of 84% of cyber attacks, making a strong AppSec program the best tool for fixing the problem. Today, the vast majority of IT security budgets are spent on reactive technologies. ShiftLeft offers organizations the opportunity to dedicate their security budgets to a more effective model. Learn more about NG-SAST by contacting ShiftLeft today.


Top comments (0)