Ransomware emerged as a fast-growing attack vector in 2021, surging by 29% year-over-year and costing organizations billions in lost revenue and ransom payments. A recent study by Ivanti sheds light on the most exploited vulnerabilities of 2021, the industries impacted as a result, and how the ransomware threat will evolve in 2022.
According to the Ransomware Spotlight Year End Report by IT and security operations company Ivanti, vulnerabilities that resulted in compromise through ransomware surged by 29% last year. The number of common vulnerabilities and exposures (CVEs) grew from 223 in 2020 to 288 in 2021.
Source: Ivanti
This is less than the 291% growth in ransomware vulnerabilities registered in 2020, which was the most fateful year in terms of damage inflicted by ransomware attacks. An increasing number of ransomware gangs realized the sound malicious business model presented by CVEs which organizations often overlook.
This is why unpatched or zero-day vulnerabilities were the primary attack vectors that ransomware groups exploited in 2021. Zero-day exploits have proved to be crippling for individual entities and the overall economy they serve. Incidentally, ransomware actors exploited many of the 2021 zero-day vulnerabilities before they made it to the National Vulnerability Database (NVD).
Some of these zero-day vulnerabilities whose exploits resulted in widespread carnage were QNAP vulnerability (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), Apache Log4j (CVE-2021-44228), and Colonial Pipeline (CVE-2020-1472). Sector-wise, the impact was felt across critical sectors such as oil & gas, food, pharmacy, health care, and the IT supply chain.
See More: Biggest Ransomware Attacks of 2021: A Look Back at the Chart Toppers
Besides critical vulnerabilities, low or medium severity ones, which may not necessarily attract careful attention, are being exploited as part of a process dubbed vulnerability chaining. The risk for organizations (and opportunity for threat actors) is that these vulnerabilities may not be prioritized for patching.
“Ransomware is not a new threat. Still, it has evolved into a more destructive creature in large part because threat actors know that most organizations are ill-equipped to defend against it, and most barriers of entry have disappeared. Organizations had many data breaches that led to the loss of credentials and PII used in the social engineering phase of attacks,†explained Fleming Shi, CTO at Barracuda Networks.
He added, “DIY ransomware kits are available online for a small fee; less technologically savvy criminals or those who prefer not to do the heavy lifting themselves can outsource the deed using RaaS. The increased value of cryptocurrency and the popularity of cyber insurance have also made ransomware attacks more profitable for cybercriminals, attracting highly organized gangs to operationalize threats like legitimate businesses.â€
Of all the products that were targeted by ransomware gangs, operating systems had the most number of vulnerabilities (54), followed by software applications (32), web browsers (29), software development kits (15), and application frameworks (15).
The increase in the vulnerability exploits for ransomware also coincides with a rise in the number of ransomware families from 125 in 2020 to 157 in 2021. “Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks,†said Srinivas Mukkamala, SVP of security products at Ivanti.
Besides the exploitation of unpatched vulnerabilities, the most common penetration methods were observed through data breaches or network intrusions, which gradually evolved into ransomware attacks. Entry points such as Remote Desktop Protocol (RDP), Virtual Private Networks (VPNs), XSS bugs, development of Linux variants, Red Teaming tools, internet sharing services, VOIP attacks, a certain degree of social engineering, etc., should be taken care of.
Network intrusion, however, is the first step in the financially-motivated malicious endeavor to take down the organization and hold it for ransom. Ransomware gangs are increasingly letting out their services for use by others with limited black hat knowledge. These are:
- Ransomware-as-a-service
- Exploit-as-a-service
- Dropper-as-a-service
- Trojan-as-a-service
Some products, however, were targeted more than others.
Ransomware Repeat Targets | Source: Ivanti
See More: 700M Attacks in 2021 and Counting: Can Businesses Fight the Ransomware Tsunami?
The most active ransomware gangs are:
|
Ransomware Gang |
Victims |
| Conti |
269 |
|
Avaddon |
161 |
| REvil |
144 |
|
DarkSide |
75 |
| Pysa |
68 |
All in all, ransomware groups left no stone unturned to find any weaknesses in software and leverage it for exploitation. They actively hunted for unknown and unrecognized vulnerabilities and known ones and weaponized them.
Cybersecurity experts’ forecast for 2022 is equally or even more grim. “In 2022, we will continue to see an increase in new vulnerabilities, exploit types, APT groups, ransomware families, CWE categories, and how old vulnerabilities are leveraged to exploit organizations,†opined Aaron Sandeen, the CEO of Cyber Security Works. “Leaders need innovative and predictive help to prioritize and remediate ransomware threats.â€
Ivanti expects NPM libraries, such as Javascript, application programming interfaces (APIs) and code misconfigurations, to be the next big drivers of ransomware operations.
Note:Â Ivanti’s report is based on proprietary company data, threat research data by Ivanti, Cyware, and Cyber Security Works testing teams, and data from publicly available threat databases.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!