Cyber Security Works and Ivanti, in their latest Ransomware Index Report Q1 2022, dove deep into the ransomware-associated vulnerabilities, both existing ones and those that emerged in the first quarter of 2022, surging by 17.9% and 7.6%, respectively.
The prevalence of ransomware attacks is directly associated with exploiting vulnerabilities, especially legacy ones. According to Ransomware Index Report Q1 2022 by Cyber Security Works (CSW) and Ivanti, 22 new vulnerabilities and nine new weaknesses have been associated with ransomware in Q1 2022, an increase of 7.6% from January.
What’s noteworthy is that half of these 22 vulnerabilities were disclosed in 2019, indicating that threat actors are actively looking for gaps in the cyber hygiene of organizations and respective vulnerability management processes.
“New ransomware vulnerabilities and weaknesses are constantly being identified and reported,†Melissa Wooten, director of global penetration testing at CSW, told Toolbox. Yet, “known exploitable vulnerabilities are being used by ransomware APTs with no sign of slowing down and weaponization of new and old vulnerabilities is occurring at a rapid pace.â€
The report’s findings are in tune with Ivanti and CSW’s Ransomware Spotlight Year-End Report from January 2022, which states that 56% of the 223 vulnerabilities discovered before 2021 were being actively targeted by ransomware groups as of December 2021. “I remember when we started working on the Ransomware report in 2019, we thought 57 vulnerabilities were a lot. In 2020, this number quadrupled to 223, and now it is 310,†Wooten said.
Moreover, five vulnerabilities published between 2007 and 2009 were actively trending at the time of the research. “Today, many security and IT teams struggle to identify the real-world risks that vulnerabilities pose and therefore improperly prioritize vulnerabilities for remediation,†said Srinivas Mukkamala, SVP & GM of security products at Ivanti.
“For example, many organizations only patch new vulnerabilities or those that have been disclosed in the National Vulnerability Database (NVD). Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities.â€
Lax security measures, opaque threat visibility, and discrepancies in common weakness enumeration (CWE) by MITRE, NVD, and Common Attack Pattern Enumeration and Classification (CAPEC) all add to the problem at hand.
As a result, the ransomware trends for Q1 2022 compared to Q4 2021 look like this:
Ransomware Index Q1 2022 | Source: CSWOpens a new window
See More: Ransomware Attacks Grew 29% in 2021, May Cause Greater Carnage in 2022
“Vulnerability scanning plays a massive role in increasing cyber hygiene; however, our research indicates that not all vulnerabilities tied to ransomware are detected by popular vulnerability scanners,†Wooten said.
Senior director of vulnerability management services at CSW, Ravi Pandey, told Toolbox, “One of the most interesting metrics that we are tracking in this report is the number of vulnerabilities that are not being detected by top scanners. Scanners are not infallible, and we should never be lulled into a false sense of security thinking that they have our back.â€
“On a positive note,†Wooten adds, “the overall ransomware vulnerabilities not detected by scanners have decreased from 22 (Q4 2021) to 11 (Q1 2022).†Additionally, Wooten pointed out that 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware groups, including 18 identified this quarter.
Wooten told Toolbox that a “lack of cyber hygiene, budget restrictions, limited manpower, absence of talent, insufficient cybersecurity intelligence at the right time and the lack of visibility and awareness are some of the factors that enable ransomware attacks against organizations.â€
“Continuous access to accurate knowledge and data combined with a proactive risk-based approach to cyber security is vital for organizations to strengthen their resilience against evolving ransomware threats.â€
However, knowledge is only as good as its availability to organizations. CSW studied the latencies in publishing and patching newly identified vulnerabilities associated with ransomware.
Wooten continued, “Our key takeaways include some vulnerabilities that were exploited within eight days of being published by their vendor. All new ransomware vulnerabilities were published by their vendors together with a patch, and there were a few vulnerabilities that were exploited before they could be added to the NVD (National Vulnerability Database), and on average, new ransomware vulnerabilities were added to the NVD a week after their vendor disclosed them.
Conti emerged as the ransomware gang associated with most vulnerabilities (19 of the 22 new ones). BlackCat, LockBit, and AvosLocker exploited the remaining ones. BlackCat (AlphaV) and Avoslocker are new ransomware families that emerged in Q1 2022, along with NightSky and Karma.
AvosLocker and Karma gained prominence for targeting three critical vulnerabilities in Microsoft Exchange Servers alongside the Hive ransomware gang.
Conti, which reportedly disbanded into smaller ransomware gangs last week, also added 44 vulnerability exploits to its arsenal. Suppose Conti members indeed shed their brand name to join other groups such as HelloKitty, AvosLocker, Hive, BlackByte, etc. In that case, these ransomware gangs could also have Conti’s exploit knowledge base.
Ransomware gangs have targeted critical sectors such as food, automotive, healthcare, finance, and government organizations. CSW singled out and cautioned the healthcare sector because 846 products from 56 vendors host 624 unique vulnerabilities, 40 of which have public exploits.
Of all sectors, 919 unique products from 103 different vendors are susceptible to ransomware. Of these, 164 ransomware-vulnerable products were identified in Q1 2022 (17 in F5 Big IP products, 143 in Microsoft Windows, and five in VMware Cloud Foundation and vCenter Server).
Operating systems were found to have the highest number of ransomware-associated vulnerabilities — 125 in Q1 2022. The remaining ransomware-vulnerable products were firewalls (17), web browsers (12), desktop apps (3), cloud desktop apps (2), application frameworks (2), web application frameworks (1), Microsoft Office Suite (1), and email service (1).
Note: Ransomware Index Report Q1 2022 is a joint study by CSW, Ivanti, Securin, and Cyware. The report is based on dynamic analysis of ransomware trends and markers observed in the first quarter of 2022.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!