Cybersecurity’s challenge for 2022 is defeating weaponized ransomware

Ransomware assault strategists proceed to focus on zero-day vulnerabilities, execute supply chain attacks, fine-tune vulnerability chaining, and seek for vulnerabilities in end-of-life merchandise to enhance the chances their ransomware assaults will succeed. Ivanti’s Ransomware Spotlight Year End Report illustrates why ransomware turned the fastest-growing cyberattack technique in 2021 and into 2022. There’s been a 29% development in ransomware vulnerabilities in only a yr, rising from 223 to 288 widespread vulnerabilities and exposures (CVEs).  

Final yr, SonicWall recorded a 148% surge in international ransomware assaults (as much as 495 million), making 2021 the worst yr the corporate has ever recorded. The corporate additionally predicted 714 million tried ransomware assaults by the shut of 2021, a 134% enhance over final yr’s totals. Organizations pay a median of $220,298 and suffer 23 days of downtime following a ransomware attack, additional damaging their companies, manufacturers, and buyer relationships. 

Weaponized ransomware is rising 

Cybercriminal, ransomware, and superior persistent menace (APT) teams are fast-tracking their efforts to weaponize ransomware and concurrently take down total provide chains utilizing vulnerability chaining. Seven new APT teams are utilizing ransomware vulnerabilities to mount assaults this yr, which means there’s now a complete of 40 APT teams across the globe utilizing ransomware..

New ransomware households created within the final yr are being designed to scale ransomware-as-a-service, exploit-as-a-service, Dropper-as-a-service, and Trojan-as-a-service platforms. Platform-based approaches to offering ransomware as a service are among the many fastest-growing ransomware gangs growth areas.

Ivanti’s ransomware analysis uncovered 125 ransomware households between 2018–2020, together with 32 new households in 2021, a 25.6% enhance within the total household depend. With 157 ransomware households exploiting 288 vulnerabilities, ransomware attackers are prioritizing weaponization. Exploit codes are constructed to make the most of a vulnerability and outline a vulnerability as weaponized. The examine discovered that public exploit codes can be found for 57% (164) of ransomware vulnerabilities. Of those, 109 vulnerabilities will be exploited remotely (Distant Code Execution). The exploit vulnerabilities additionally embrace 23 vulnerabilities able to privilege escalation, 13 vulnerabilities that may result in denial-of-service assaults, and 40 vulnerabilities able to exploiting net functions. 

Distant vulnerabilities are particularly prevalent in mushy targets – a favourite of cybercriminals, ransomware, and ABT gangs. Final yr’s assaults on well being care suppliers, oil and fuel provide chains, meals distributors and their provide chains, pharmacy, schools, universities, and faculties underscore how prevalent this technique is. These vital sectors are identified for not having the cybersecurity funding or experience on workers to offer superior menace detection and deterrence, and infrequently have techniques which might be a yr behind or extra on patches.  

Procrastinating about patching invitations ransomware

Endpoints which have conflicting brokers or are down-rev on patches are simply as weak as an endpoint with no safety in any respect. The Ivanti examine discovered that unpatched vulnerabilities had been probably the most outstanding assault vectors exploited by ransomware teams in 2021. There are 223 vulnerabilities related to ransomware in 2020, rising 29% in 2021, taking the full vulnerability depend to 288 CVEs. Over 30% of those 65 newly added vulnerabilities are actively looked for on the web, emphasizing prioritizing and addressing these vulnerabilities.

Organizations aren’t staying present on patch administration, leaving their endpoints open for more and more refined, nuanced ransomware assaults. Of the present 288 ransomware CVEs, the Cybersecurity and Infrastructure Safety Company (CISA), the Division of Homeland Safety (DHS), the FBI, the Nationwide Safety Company (NSA), and different safety companies have put out a number of warnings for 66 of them. Their warnings talk the urgency of prioritizing patches for vulnerabilities instantly. CISA additionally just lately launched a binding directive that forces the hand of public sector firms to patch a selected record of vulnerabilities, full with strict deadlines. This record alone defines 20% of the 288 ransomware vulnerabilities.

Prioritizing patches primarily based on the Widespread Vulnerability Scoring System (CVSS) doesn’t cowl 73.61% of potential ransomware vulnerabilities – 49% of that are trending in ransomware teams. When Ivanti analyzed the 288 ransomware vulnerabilities from the attitude of the CVSS, they discovered that 26.73% belong to the vital class and 30.9% belong to the excessive severity class. Additionally they discovered that 10% of the vulnerabilities had a medium severity ranking, and one vulnerability had a low rating.

“Organizations should be further vigilant and patch weaponized vulnerabilities with out delays. This requires leveraging a mix of risk-based vulnerability prioritization and automatic patch intelligence to establish and prioritize vulnerability weaknesses after which speed up remediation,” Srinivas Mukkamala, senior vice chairman of safety merchandise at Ivanti, informed VentureBeat. 

The ransomware arms race

The arms race in ransomware is escalating into weaponized payloads, extra nuanced approaches to vulnerability chaining, and opportunistic ransomware gangs creating as-a-service packages. Cybersecurity distributors and the organizations they serve must problem battling weaponized ransomware with a simpler strategy to patch administration first, adopted by figuring out with certainty the state of each endpoint. 

Sadly, this can be a favored tactic that ransomware gangs use to analysis long-standing CVEs and discover unpatched vulnerabilities to use. For instance, the Cring ransomware quietly capitalized on two vulnerabilities, CVE-2009-3960 and CVE-2010-2861, in Adobe ColdFusion 9, which was left untouched since 2016 when it was tagged as “finish of life.” The group exploited CVE-2010-2861 to enter into the server of a services-based firm and used CVE-2009-3960 to add net shells, Cobalt Strike’s Beacon payloads, and, lastly, the ransomware payload.