Ivanti today announced the results of the Ransomware Index Report Q2 – Q3 2022 that it conducted with Cyber Security Works, a Certifying Numbering Authority (CNA) and Cyware, a leading provider of the technology platform to build Cyber Fusion Centres. The report revealed that ransomware has grown by 466 per cent since 2019 and is increasingly being used as a precursor to physical war as seen in the Russia conflict in Ukraine and the Iran and Albania cyberwar.
Ransomware groups are continuing to grow in volume and sophistication with 35 vulnerabilities becoming associated with ransomware in the first three quarters of 2022 and 159 trending active exploits. Complicating matters, lack of sufficient data and threat context is making it hard for organisations to effectively patch their systems and efficiently mitigate vulnerability exposure.
The report identified 10 new ransomware families (Black Basta, Hive, BianLian, BlueSky, Play, Deadbolt, H0lyGh0st, Lorenz, Maui and NamPoHyu), bringing the total to 170. With 101 CVEs to phish, ransomware attackers are increasingly relying on spear phishing techniques to lure unsuspecting victims to deliver their malicious payload. Pegasus is a powerful example where a simple phishing message was used to create initial backdoor access coupled with iPhone vulnerabilities, leading to infiltration and compromise of many worldwide figures.
Ransomware needs human interaction and phishing as the only attack vector is a myth. We analysed and mapped 323 current ransomware vulnerabilities to MITRE ATT&CK framework to exact tactics, techniques and procedures that can be used as a kill chain to compromise an organisation and found that 57 of them led to a complete system takeover starting from initial access to exfiltration.
The report also identified two new ransomware vulnerabilities (CVE-2021-40539 and CVE-2022-26134), both of which were exploited by prolific ransomware families such as AvosLocker and Cerber either before or on the same day they were added to the National Vulnerability Database (NVD). These statistics emphasise that if organisations rely solely on NVD disclosure to patch vulnerabilities, they will be susceptible to attacks.
The report revealed that CISA’s Known Exploited Vulnerabilities (KEV) catalogue, which provides U.S. public sector companies and government agencies with a list of vulnerabilities to patch within a deadline, is missing 124 ransomware vulnerabilities.
Srinivas Mukkamala, Chief Product Officer at Ivanti, said: “IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. This includes leveraging automation technologies that can correlate data from diverse sources (i.e., network scanners, internal and external vulnerability databases and penetration tests), measure risk, provide early warning of weaponisation, predict attacks and prioritise remediation activities. Organisations that continue to rely on traditional vulnerability management practices such as solely leveraging the NVD and other public databases to prioritise and patch vulnerabilities, will remain at high risk of cyberattack.”
Further highlighting the need to evolve beyond traditional vulnerability management practices is the fact that popular scanners are missing vulnerabilities. The report found that 18 vulnerabilities tied to ransomware are not being detected by popular scanners.
Aaron Sandeen, CEO of Cyber Security Works, said, “It’s a scary prospect if the scanners that you depend on are not identifying the vulnerabilities exposed. Organisations need to adopt an attack surface management solution that can discover exposures across all organisational assets.”
Additionally, the report analysed the impact of ransomware on critical infrastructure, with the three worst-hit sectors being healthcare, energy and critical manufacturing. The report revealed that 47.4 per cent of ransomware vulnerabilities affect healthcare systems, 31.6 per cent affect energy systems and 21.1 per cent affect critical manufacturing.
Anuj Goel, Co-founder and CEO at Cyware, said, “Even though post-incident recovery strategies have improved over time, the old adage of prevention being better than cure still rings true. In order to correctly analyse the threat context and effectively prioritise proactive mitigation actions, vulnerability intelligence for SecOps must be operationalised through resilient orchestration of security processes to ensure the integrity of vulnerable assets.”
The report also offered insights into current and future ransomware trends. Notably, malware with cross-platform capabilities soared high in demand as ransomware operators could easily target multiple operating systems via a single codebase. The report also uncovered a significant number of attacks on third-party providers of security solutions and software code libraries, resulting in a plethora of possible victims. Looking ahead, organisations can expect to see new ransomware gangs emerge as prominent groups like Conti and DarkSide supposedly shut down. New gangs will likely reuse or modify the source code and exploit methods adopted by defunct ransomware groups.
The Ransomware Index Spotlight Report is based on data gathered from a variety of sources, including proprietary data from Ivanti and CSW, publicly available threat databases and threat researchers and penetration testing teams.