Scanning techniques

How to scan for known exploits and ransomware?

Considering the new increasing trend of exploits becoming widely available and easy to be used even for inexperienced users, it is even more critical now to be protected against the most severe ones. 

We have added a new option, "Include vulnerabilities with known exploits (incl listed by CISA)" that is focused on identifying vulnerabilities that have a known exploit available in the "wild".
For this, we monitor 3 sources of information that are continuously reviewed and used to update our vulnerability tests:

  1. CISA list - Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. 
  2. ExploitDB - a repository for _exploits_ and proofs-of-concept.
  3. Metasploit - penetration testing platform that enables you to write, test, and execute exploit code.

Why is ransomware dangerous?

Ransomware is a malicious program that encrypts the user’s files. Encryption makes the files unreadable without knowing the encryption password. The attacker offers the user the encryption password if the user is willing to pay a “ransom.”

The reason why this type of ransomware is so dangerous is that once cybercriminals get ahold of your files, no security software or system restore can return them to you unless you pay the ransom. For the most part, they’re gone. And even if you do pay up, there’s no guarantee the cybercriminals will give you those files back.

 

We're also adding a new option "Include vulnerabilities related to known ransomware," that will focus on identifying vulnerabilities that are known to be used in ransomware attacks. This information is acquired by monitoring researchers' reports, ransomware cases that become public, and other cyber-security portals.

 

How to scan for exploits and/or Ransomware related vulnerabilities?

Our default Full network scan configuration has both those options included by default, but if you want to scan only for them, we advise you to select "Basic" scan configuration and then enable the option of your choice.

 

 

Note: To have 100% coverage of all tests that have exploits/ransomware relationships, you will also have to include "https://support.holmsecurity.com/knowledge/how-do-i-run-a-scan-with-potentially-dangerous-test" in the scan configurations of either "Basic" or "Full" scan since some related tests will try to exploit known vulnerabilities in an active manner. You can find these scan profiles in the Imported scan profiles.