>>Don’t miss our special issue: How Data Privacy Is Transforming Marketing.<<

Ransomware continues to grow fast, increasing by 466% in three years. In addition, 57 vulnerabilities exist today with an entire kill chain mapped — from initial access to exfiltration using the MITRE ATT&CK techniques, tactics and procedures (TTPs) — according to Ivanti’s latest research. 

Ransomware groups also continue to grow in sophistication and volume. Thirty-five new vulnerabilities became associated with ransomware in the first nine months of this year. There are 159 trending active exploits today, proving that ransomware is a popular attack strategy with cyber gangs.  

Ivanti’s latest Ransomware Index Report Q2-Q3 2022, published today, identifies which vulnerabilities lead to ransomware attacks and how quickly undetected ransomware attackers work to take control of an entire organization. Cyber Security Works, a CVE Numbering Authority (CNA), and Cyware, a leading technology platform provider for building Cyber Fusion Centers, collaborated on the study with Ivanti. 

“IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. This includes leveraging automation technologies that can correlate data from diverse sources (i.e., network scanners, internal and external vulnerability databases, and penetration tests), measure risk, provide early warning of weaponization, predict attacks and prioritize remediation activities. Organizations that continue to rely on traditional vulnerability management practices, such as solely leveraging the NVD and other public databases to prioritize and patch vulnerabilities, will remain at high risk of cyberattack,” said Srinivas Mukkamala, chief product officer at Ivanti. 

Cyberattackers are quick to capitalize on vulnerabilities

Ivanti’s report shows how motivated ransomware attackers are at identifying and taking action on vulnerabilities that quickly lead to taking control of infrastructure undetected. Staying dormant to avoid detection and gradually distributing ransomware across every server they can, ransomware attackers are always on the hunt for new servers and infrastructure to exploit. 

Looking at the National Vulnerability Database (NVD) for context into how vulnerabilities progress into trending active exploits, it’s clear that CISOs and their teams need real-time threat intelligence to stay ahead of ransomware attack attempts. The progression pipeline from vulnerability to active exploit is dynamic and changes fast, making real-time visibility across every asset critical. 

“Even though post-incident recovery strategies have improved over time, the old adage of prevention being better than cure still rings true. In order to correctly analyze the threat context and effectively prioritize proactive mitigation actions, vulnerability intelligence for secops must be operationalized through resilient orchestration of security processes to ensure the integrity of vulnerable assets” said Anuj Goel, cofounder and CEO at Cyware.

There are 154,790 vulnerabilities in the NVD that are the basis of the analysis. Image source: Ivanti Ransomware Index Report Q2-Q3 2022.

Key insights from the Ivanti study 

Finding experienced cybersecurity experts and IT professionals continues to be a challenge for every organization. Another gap attackers exploit is when organizations don’t have enough experts on staff who know how to use threat intelligence tools, automate patch management and reduce the risks of ransomware attacks. Having a fully staffed IT and cybersecurity team helps to take on the growing risks and threats the Ivanti report found, which are summarized here. 

Ransomware vulnerabilities have grown 466% since 2019 and continue accelerating today

Thirteen new vulnerabilities that can be exploited with ransomware were discovered in the last three months alone. The total number of vulnerabilities tied to ransomware is now 323, with 35 new vulnerabilities associated with ransomware discovered just this year. 

Ransomware attackers constantly explore how to capitalize on vulnerabilities before CISA tracks them. Currently, there are 159 trending active exploits that CISA tracks and organizations need to defend against in their overall risk and security management strategies. 

Ivanti found 57 vulnerabilities exploitable by ransomware attackers with complete kill chains from initial access to exfiltration available

Ransomware attackers look for new ways to capitalize on the weaknesses in longstanding common vulnerabilities and exposures (CVEs), often exploiting legacy systems and their lack of security. Ivanti’s study also illustrates how attackers often are faster than enterprises in identifying weaknesses to capitalize on. Microsoft, Oracle, VMware, Atlassian, Apache and 15 others are the primary vendors with these 57 vulnerabilities. Of these, 34 vulnerabilities are remote code execution (RCE) and privilege escalation (PE) exploits, two common techniques ransomware attackers use to initiate attacks. 

There are 57 vulnerabilities with complete kill chains, making them extremely dangerous. Image source: Ivanti Ransomware Index Report Q2-Q3 2022.

The research discovered ten new ransomware families

The new ransomware families include Black Basta, Hive, BianLian, BlueSky, Play, Deadbolt, H0lyGh0st, Lorenz, Maui and NamPoHyu, bringing the total to 170. With 101 CVEs to phish, ransomware attackers increasingly rely on spear phishing techniques (a more personalized form of phishing) to lure unsuspecting victims into delivering their malicious payload. The report cites Pegasus as a powerful example where a simple phishing message, coupled with iPhone vulnerabilities, was used to create initial backdoor access and led to the infiltration and compromise of many worldwide figures.

Future of ransomware 

Look for more source code reuse and shared attack methods leading to more sophisticated attacks. The more prominent ransomware groups, including Conti, DarkSide and others, are either shutting down or morphing into smaller groups, including Black Basta and BlackMatter.  

In addition, more shared attack methods will be modified based on what ransomware gangs are learning in real time from intrusion and breach attempts. In response to the hardened nature of organizations’ security, attackers launch more sophisticated attacks with advanced tactics, including encrypting all of the digital assets and data a business has. This will continue exerting immense pressure on the victims of ransomware attacks as attackers resort to data leaks and deleting data if ransoms are paid or not.