A new report has identified a 7.6 percent increase in ransomware-related vulnerabilities in the first quarter of 2022, with the Conti ransomware group exploiting most of those vulnerabilities.
Ivanti has released the results of the Ransomware Index Report Q1 2022 conducted with Cyber Security Works, a Certifying Numbering Authority (CNA), and Cyware, a technology platform provider, to build Cyber Fusion Centers.
The report revealed 22 new vulnerabilities related to ransomware (bringing the total to 310). It linked Conti, a prolific ransomware group that pledged support to the Russian government after the invasion of Ukraine, with 19 of those new vulnerabilities.
The report also revealed a 7.5 percent increase in APT groups associated with ransomware, a 6.8 percent increase in actively exploited and trending vulnerabilities, and a 2.5 percent increase in ransomware families. Breaking down those numbers further, the analysis found that three new APT groups (Exotic Lily, APT 35, DEV-0401) started using ransomware to attack their targets, ten new active and trending vulnerabilities were associated with ransomware (bringing the total to 157) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) became active in Q1 2022.
In addition, the report revealed that ransomware operators continued to exploit vulnerabilities faster than ever and target those that cause maximum disruption and impact. This increased sophistication by ransomware groups has resulted in vendors exploiting vulnerabilities within eight days of the patch release.
It also means that any minor laxity in third-party vendors and organizations’ security measures is enough for ransomware groups to enter and infiltrate vulnerable networks. To make matters worse, some popular scanners fail to detect several major ransomware vulnerabilities.
The survey found that over 3.5 percent of ransomware vulnerabilities are missed, leaving organizations at high risk.
“The failure of scanners to detect critical ransomware vulnerabilities is a huge problem for organizations,” said Aaron Sandeen, CEO of Cyber Security Works.
“CSW experts continuously monitor this as part of our research and analysis. The good news is that this quarter saw the number decline. This means scanner companies are taking this seriously,” he says.
That said, there are still 11 ransomware vulnerabilities that the scanners fail to detect, five of which are rated critical and are associated with notorious ransomware gangs such as Ryuk, Petya, and Locky.
A further impediment to security and IT teams is the fact that there are gaps in the National Vulnerability Database (NVD), The MITER Corporation’s Common Attack Pattern Enumeration and Classification (CAPEC) list, and the Known Exploited Vulnerabilities ( KEVs) catalog from the US Cybersecurity and Infrastructure Security Agency (CISA). The report found that the NVD lacks Common Weakness Enumerations (CWEs) for 61 vulnerabilities, while the CAPEC list lacks CWEs for 87 vulnerabilities. And on average, a ransomware vulnerability is added to the NVD a week after a vendor discloses it.
At the same time, 169 ransomware-associated vulnerabilities are yet to be added to the CISA KEV list. Meanwhile, hackers worldwide actively target 100 vulnerabilities, scouting organizations to exploit one unpatched instance.
Srinivas Mukkamala, senior vice president and general manager of security products at Ivanti, added: “Threat actors are increasingly targeting cyber hygiene deficiencies, including outdated vulnerability management processes.
“Today, many security and IT teams struggle to identify the real risks posed by vulnerabilities and therefore incorrectly prioritize vulnerabilities for remediation,” he says.
For example, many only patch new vulnerabilities or those revealed in the NVD. Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities.
“To better protect organizations from cyber-attacks, security and IT teams must adopt a risk-based approach to vulnerability management. This requires AI-based technology that can identify business risks and active threats, provide early warnings for exploiting vulnerabilities, attacks can predict and prioritize repair work.”
The report also analyzed 56 vendors that provide healthcare applications, medical devices, and hardware used in hospitals and healthcare centers and discovered 624 unique product vulnerabilities. Forty of those vulnerabilities have public exploits, and two vulnerabilities (CVE-2020-0601 and CVE-2021-34527) are associated with four ransomware operators (BigBossHorse, Cerber, Conti, and Vice Society). Unfortunately, this could indicate that ransomware attacks may attack the healthcare sector more aggressively in the coming months.
Anuj Goel, co-founder and CEO of Cyware, said, “Ransomware is now one of the most predominant attack vectors impacting the bottom line globally.
“The Q1 report underscores the fact with new numbers showing an increase in the number of ransomware vulnerabilities and APTs using ransomware,” he says.
“However, one of the biggest concerns that have emerged is the lack of full threat visibility for security teams due to the cluttered threat intelligence available across all sources.
“If security teams need to mitigate ransomware attacks proactively, they need to link their patch and vulnerability responses to a centralized threat intelligence management workflow that provides full visibility into shape-shifting ransomware attack vectors through multi-source intelligence ingestion, correlation, and security actions. .”
