Ransomware attack strategists continue to target zero-day vulnerabilities, execute supply chain attacks, fine-tune vulnerability chaining, and search for vulnerabilities in end-of-life products to improve the odds their ransomware attacks will succeed. Ivanti’s Ransomware Spotlight Year End Report illustrates why ransomware became the fastest-growing cyberattack strategy in 2021 and into 2022. There’s been a 29% growth in ransomware vulnerabilities in just a year, growing from 223 to 288 common vulnerabilities and exposures (CVEs).
Last year, SonicWall recorded a 148% surge in global ransomware attacks (up to 495 million), making 2021 the worst year the company has ever recorded. The company also predicted 714 million attempted ransomware attacks by the close of 2021, a 134% increase over last year’s totals. Organizations pay an average of $220,298 and suffer 23 days of downtime following a ransomware attack, further damaging their businesses, brands, and customer relationships.
Weaponized ransomware is growing
Cybercriminal, ransomware, and advanced persistent threat (APT) groups are fast-tracking their efforts to weaponize ransomware and simultaneously take down entire supply chains using vulnerability chaining. Seven new APT groups are using ransomware vulnerabilities to mount attacks this year, meaning there’s now a total of 40 APT groups around the globe using ransomware..
New ransomware families created in the last year are being designed to scale ransomware-as-a-service, exploit-as-a-service, Dropper-as-a-service, and Trojan-as-a-service platforms. Platform-based approaches to providing ransomware as a service are among the fastest-growing ransomware gangs development areas.
Ivanti’s ransomware research uncovered 125 ransomware families between 2018–2020, including 32 new families in 2021, a 25.6% increase in the overall family count. With 157 ransomware families exploiting 288 vulnerabilities, ransomware attackers are prioritizing weaponization. Exploit codes are built to take advantage of a vulnerability and define a vulnerability as weaponized. The study found that public exploit codes are available for 57% (164) of ransomware vulnerabilities. Of these, 109 vulnerabilities can be exploited remotely (Remote Code Execution). The exploit vulnerabilities also include 23 vulnerabilities capable of privilege escalation, 13 vulnerabilities that can lead to denial-of-service attacks, and 40 vulnerabilities capable of exploiting web applications.
Remote vulnerabilities are especially prevalent in soft targets – a favorite of cybercriminals, ransomware, and ABT gangs. Last year’s attacks on health care providers, oil and gas supply chains, food distributors and their supply chains, pharmacy, colleges, universities, and schools underscore how prevalent this strategy is. These critical sectors are known for not having the cybersecurity funding or expertise on staff to provide advanced threat detection and deterrence, and often have systems that are a year behind or more on patches.
Procrastinating about patching invites ransomware
Endpoints that have conflicting agents or are down-rev on patches are just as vulnerable as an endpoint with no security at all. The Ivanti study found that unpatched vulnerabilities were the most prominent attack vectors exploited by ransomware groups in 2021. There are 223 vulnerabilities associated with ransomware in 2020, growing 29% in 2021, taking the total vulnerability count to 288 CVEs. Over 30% of these 65 newly added vulnerabilities are actively searched for on the internet, emphasizing prioritizing and addressing these vulnerabilities.
Organizations aren’t staying current on patch management, leaving their endpoints open for increasingly sophisticated, nuanced ransomware attacks. Of the current 288 ransomware CVEs, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Homeland Security (DHS), the FBI, the National Security Agency (NSA), and other security agencies have put out multiple warnings for 66 of them. Their warnings communicate the urgency of prioritizing patches for vulnerabilities immediately. CISA also recently released a binding directive that forces the hand of public sector companies to patch a specific list of vulnerabilities, complete with strict deadlines. This list alone defines 20% of the 288 ransomware vulnerabilities.
Prioritizing patches based on the Common Vulnerability Scoring System (CVSS) doesn’t cover 73.61% of potential ransomware vulnerabilities – 49% of which are trending in ransomware groups. When Ivanti analyzed the 288 ransomware vulnerabilities from the perspective of the CVSS, they found that 26.73% belong to the critical category and 30.9% belong to the high severity category. They also found that 10% of the vulnerabilities had a medium severity rating, and one vulnerability had a low score.
“Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation,” Srinivas Mukkamala, senior vice president of security products at Ivanti, told VentureBeat.
The ransomware arms race
The arms race in ransomware is escalating into weaponized payloads, more nuanced approaches to vulnerability chaining, and opportunistic ransomware gangs creating as-a-service programs. Cybersecurity vendors and the organizations they serve need to challenge battling weaponized ransomware with a more effective approach to patch management first, followed by knowing with certainty the state of every endpoint.
Unfortunately, this is a favored tactic that ransomware gangs use to research long-standing CVEs and find unpatched vulnerabilities to exploit. For example, the Cring ransomware quietly capitalized on two vulnerabilities, CVE-2009-3960 and CVE-2010-2861, in Adobe ColdFusion 9, which was left untouched since 2016 when it was tagged as “end of life.” The group exploited CVE-2010-2861 to enter into the server of a services-based company and used CVE-2009-3960 to upload web shells, Cobalt Strike’s Beacon payloads, and, finally, the ransomware payload.