Ransomware: Cyber criminals are still exploiting these old vulnerabilities, so patch now

Years-old security vulnerabilities remain a common attack method for ransomware attacks because organisations aren't applying the patches to fix them.

Ransomware is a big cybersecurity problem: Why and what needs to be done to stop it?

Some of the cybersecurity vulnerabilities most commonly exploited by cybercriminals to help distribute ransomware are years old -- but attackers are still able to take advantage of them because security updates aren't being applied.

Cybersecurity researchers at Qualys examined the Common Vulnerabilities and Exposures (CVEs) most used in ransomware attacks in recent years. They found that some of these vulnerabilities have been known for almost a decade and had vendor patches available. But because many organizations still haven't applied the available security updates, they remain vulnerable to ransomware attacks.

ZDNet Recommends

The best antivirus software and apps

A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses.

Read More

The oldest of the top five vulnerabilities detailed in the analysis is CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7, which was detailed in 2012. According to researchers, it's been commonly used to distribute Urausy ransomware. This ransomware is somewhat basic, but some organizations have remained vulnerable because they haven't applied the relevant security patches. 

SEE: A winning strategy for cybersecurity (ZDNet special report)

Two other common vulnerabilities detailed by researchers are from 2013. CVE-2013-0431 is a vulnerability in JRE exploited by Reveton ransomware, while CVE-2013-1493 is a flaw in Oracle Java that is targeted by Exxroute ransomware. In both cases, patches to remedy the vulnerabilities have been available for more than eight years. 

CVE-2018-12808, meanwhile, is a three-year-old vulnerability in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and what many believe to be its successor, Conti ransomware, have been known to use this attack method.

The most recent vulnerability on the list is Adobe CVE-2019-1458, a privilege escalation vulnerability in Windows that emerged in December 2019 and has been commonly used by the NetWalker ransomware group. Like the other vulnerabilities detailed by researchers, cybercriminals are have been able to continue launching successful attacks because the available security update hasn't been applied.

For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. "The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched," Shailesh Athalye, SVP of product management at Qualys, told ZDNet.

"It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams."

Cyberattackers know that many organizations struggle with patching, so they are actively scanning for vulnerabilities that enable them to lay down the foundations for ransomware and other cyberattacks.  

SEE: A company spotted a security breach. Then investigators found this new mysterious malware

Patch management can be a complex and time-consuming process. Still, information security teams need to take the time to apply critical security updates, particularly if they're known to be commonly exploited by cybercriminals and ransomware gangs.

"There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal," said Athalye.

"The important part of vulnerability management is the combination of vulnerability assessment, prioritization and remediation."

More on cybersecurity: