Ivanti has announced the results of the Ransomware Index Report Q1 2022 that it conducted with Cyber Security Works, a Certifying Numbering Authority (CNA), and Cyware, a leading provider of the technology platform to build Cyber Fusion Centers. The report identified a 7.6% increase in the number of vulnerabilities tied to ransomware in Q1 2022, with the Conti ransomware group exploiting most of those vulnerabilities. The report uncovered 22 new vulnerabilities tied to ransomware (bringing the total to 310) and connected Conti, a prolific ransomware group that pledged support for the Russian government following the invasion of Ukraine, to 19 of those new vulnerabilities.
The report also revealed a 7.5% increase in APT groups associated with ransomware, a 6.8% increase in actively exploited and trending vulnerabilities, and a 2.5% increase in ransomware families. To further break down those numbers, the analysis revealed that three new APT groups (Exotic Lily, APT 35, DEV-0401) started using ransomware to attack their targets, 10 new active and trending vulnerabilities became associated with ransomware (bringing the total to 157), and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) became active in Q1 2022.
Additionally, the report revealed that ransomware operators continued to weaponize vulnerabilities faster than ever before and target those that create maximum disruption and impact. This increased sophistication by ransomware groups has resulted in vulnerabilities being exploited within eight days of patches being released by vendors. It also means that any minor laxity in security measures by third-party vendors and organizations is sufficient for ransomware groups to enter and infiltrate vulnerable networks. To make matters worse, some of the most popular scanners are not detecting several key ransomware vulnerabilities. The research revealed that over 3.5% of ransomware vulnerabilities are being missed, exposing organizations to grave risks.
Aaron Sandeen, CEO of Cyber Security Works, said, “The fact that scanners are not detecting critical ransomware vulnerabilities is a huge problem for organizations. CSW experts are continuously tracking this as a part of our research and analysis. The good news is that in this quarter, we saw the number coming down. This means that scanner companies are taking this seriously. That said, there are still 11 ransomware vulnerabilities that the scanners are not detecting where five are rated critical and associated with notorious ransomware gangs like Ryuk, Petya, and Locky.”
Further handicapping security and IT teams is the fact that gaps exist within the National Vulnerability Database (NVD), the Common Attack Pattern Enumeration and Classification (CAPEC) list by The MITRE Corporation, and the Known Exploited Vulnerabilities (KEVs) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA). The report revealed that the NVD is missing Common Weakness Enumerations (CWEs) for 61 vulnerabilities, while the CAPEC list is missing CWEs for 87 vulnerabilities. And on average, a ransomware vulnerability is added to the NVD a week after being disclosed by a vendor. At the same time, 169 vulnerabilities with ransomware associations have yet to be added to the CISA KEV list. Meanwhile hackers worldwide are actively targeting 100 of these vulnerabilities, scouting organizations for one unpatched instance to exploit.
Srinivas Mukkamala, Senior Vice President & General Manager of Security Products at Ivanti, said: “Threat actors are increasingly targeting flaws in cyber hygiene, including legacy vulnerability management processes. Today, many security and IT teams struggle to identify the real-world risks that vulnerabilities pose and therefore improperly prioritize vulnerabilities for remediation. For example, many only patch new vulnerabilities or those that have been disclosed in the NVD. Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities. To better protect organizations against cyberattacks, security and IT teams need to adopt a risk-based approach to vulnerability management. This requires AI-based technology that can identify enterprise exposures and active threats, provide early warnings of vulnerability weaponization, predict attacks, and prioritize remediation activities.”
The report also analyzed 56 vendors that supply healthcare applications, medical devices and hardware used in hospitals and healthcare centers and uncovered 624 unique vulnerabilities in their products. Forty of those vulnerabilities have public exploits, and two vulnerabilities (CVE-2020-0601 and CVE-2021-34527) are associated with four ransomware operators (BigBossHorse, Cerber, Conti, and Vice Society). Unfortunately, this could indicate that the healthcare industry may be targeted more aggressively by ransomware attacks in the coming months.
Anuj Goel, Co-founder and CEO at Cyware, said, “Ransomware is now one of the most predominant attack vectors affecting the bottom line of organizations globally. The Q1 report underscores the fact with new numbers that show an increase in the number of ransomware vulnerabilities and the APTs using ransomware. However, one of the major concerns that has surfaced is the lack of complete threat visibility for security teams owing to cluttered threat intelligence available across sources. If security teams have to mitigate ransomware attacks proactively, they must tie their patch and vulnerability response to a centralized threat intelligence management workflow that drives complete visibility into the shape-shifting ransomware attack vectors through multi-source intelligence ingestion, correlation, and security actioning.”
The Ransomware Index Spotlight Report is based on data gathered from a variety of sources, including proprietary data from Ivanti and CSW, publicly available threat databases, and threat researchers and penetration testing teams.