Escalating privileges
In many cases, the threat actors don't have proper privileges after gaining initial access to the target system. Several techniques are used by ransomware affiliates to escalate privileges. Let's look at the most common ones.
Exploiting for privilege escalation (T1068)
Various vulnerabilities may aid threat actors in various stages of a ransomware attack life cycle. This includes the privilege escalation stage. For example, ProLock ransomware affiliates were observed to exploit a vulnerability in the CreateWindowEx function (CVE-2019-0859) to obtain administrator-level privileges.
Another example is the REvil ransomware itself. It was used to exploit a vulnerability in the win32.sys Microsoft Windows driver (CVE-2018-8453) to elevate privileges.
As we can see, many common vulnerabilities can be leveraged to gain privileges. If a business does not patch or address these vulnerabilities, then they can be found in this predicament.
