Ivanti has announced the results of the Ransomware Index Report Q2-Q3 2022 that it conducted with Cyber Security Works, a Certifying Numbering Authority (CNA), and Cyware. The report revealed that ransomware has grown by 466% since 2019, and is increasingly being used as a precursor to physical war as seen in the Russia conflict in Ukraine and the Iran and Albania cyberwar.
Ransomware groups are continuing to grow in volume and sophistication with 35 vulnerabilities becoming associated with ransomware in the first three quarters of 2022 and 159 trending active exploits. Complicating matters, lack of sufficient data and threat context is making it hard for organizations to effectively patch their systems and efficiently mitigate vulnerability exposure.
The report identified 10 new ransomware families (Black Basta, Hive, BianLian, BlueSky, Play, Deadbolt, H0lyGh0st, Lorenz, Maui, and NamPoHyu), bringing the total to 170. With 101 CVEs to phish, ransomware attackers are increasingly relying on spear phishing techniques to lure unsuspecting victims to deliver their malicious payload. Pegasus is a powerful example where a simple phishing message was used to create initial backdoor access coupled with iPhone vulnerabilities lead to infiltration and compromise of many worldwide figures.
Ransomware needs human interaction, and phishing as the only attack vector is a myth. We analyzed and mapped 323 current ransomware vulnerabilities to MITRE ATT&CK framework to exact tactics, techniques, and procedures that can be used as a kill chain to compromise an organization and found that 57 of them lead to a complete system takeover starting from initial access to exfiltration.
The report also identified two new ransomware vulnerabilities (CVE-2021-40539 and CVE-2022-26134), both of which were exploited by prolific ransomware families such as AvosLocker and Cerber either before or on the same day they were added to the National Vulnerability Database (NVD). These statistics emphasize that if organizations rely solely on NVD disclosure to patch vulnerabilities they will be susceptible to attacks.
The report revealed that CISA’s Known Exploited Vulnerabilities (KEV) catalog, which provides U.S. public sector companies and government agencies with a list of vulnerabilities to patch within a deadline, is missing 124 ransomware vulnerabilities.
Srinivas Mukkamala, Chief Product Officer at Ivanti, said: “IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. This includes leveraging automation technologies that can correlate data from diverse sources (i.e., network scanners, internal and external vulnerability databases, and penetration tests), measure risk, provide early warning of weaponization, predict attacks, and prioritize remediation activities. Organizations that continue to rely on traditional vulnerability management practices, such as solely leveraging the NVD and other public databases to prioritize and patch vulnerabilities, will remain at high risk of cyberattack.”
Further highlighting the need to evolve beyond traditional vulnerability management practices is the fact that popular scanners are missing vulnerabilities. The report found that 18 vulnerabilities tied to ransomware are not being detected by popular scanners.
Aaron Sandeen, CEO of Cyber Security Works, said, “It’s a scary prospect if the scanners that you depend on are not identifying the vulnerabilities exposed. Organizations need to adopt an attack surface management solution that can discover exposures across all organizational assets.”
Additionally, the report analyzed the impact of ransomware on critical infrastructure, with the three worst-hit sectors being healthcare, energy, and critical manufacturing. The report revealed that 47.4% of ransomware vulnerabilities affect healthcare systems, 31.6% affect energy systems, and 21.1% affect critical manufacturing.
Anuj Goel, Co-founder and CEO at Cyware, said, “Even though post-incident recovery strategies have improved over time, the old adage of prevention being better than cure still rings true. In order to correctly analyze the threat context and effectively prioritize proactive mitigation actions, vulnerability intelligence for SecOps must be operationalized through resilient orchestration of security processes to ensure the integrity of vulnerable assets.”
The report also offered insights into current and future ransomware trends. Notably, malware with cross-platform capabilities soared high in demand as ransomware operators could easily target multiple operating systems via a single codebase. The report also uncovered a significant number of attacks on third-party providers of security solutions and software code libraries, resulting in a plethora of possible victims. Looking ahead, organizations can expect to see new ransomware gangs emerge as prominent groups like Conti and DarkSide supposedly shut down. New gangs will likely reuse or modify the source code and exploit methods adopted by defunct ransomware groups.
The Ransomware Index Spotlight Report is based on data gathered from a variety of sources, including proprietary data from Ivanti and CSW, publicly available threat databases, and threat researchers and penetration testing teams.