Ransomware groups are continuing to target unpatched vulnerabilities and weaponise zero-day vulnerabilities in record time to instigate crippling attacks, according to a report by Ivanti.

This is based on its ‘Ransomware Spotlight Year End Report’ conducted with Cyber Security Works, a Certifying Numbering Authority (CNA), and Cyware.

The report identified 32 new ransomware families in 2021, bringing the total to 157 and representing a 26 per cent. increase over the previous year.

Apart from targeting unpatched vulnerabilities and weaponizing zero days, ransomware groups are also broadening their attack spheres and finding newer ways to compromise organisational networks and fearlessly trigger high-impact assaults, the report said.

Attack vectors

As unpatched vulnerabilities remain the most prominent attack vectors exploited by ransomware groups, the analysis uncovered 65 new vulnerabilities tied to ransomware last year, a 29 per cent increase compared to the previous year. This brings the total number of vulnerabilities associated with ransomware to 288. 

Further, over one-third (37%) of these newly added vulnerabilities were actively trending on the dark web and repeatedly exploited. 56% of the 223 older vulnerabilities identified prior to 2021 continued to be actively exploited by ransomware groups. 

“This proves that organisations need to prioritize and patch the weaponized vulnerabilities that ransomware groups are targeting – whether they are newly identified vulnerabilities or older vulnerabilities,” it said.

In terms of leveraging zero-day vulnerabilities, attackers take benefit of zero days even before the CVEs are added to the National Vulnerability Database and patches are released. 

“The QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and most recently Apache Log4j (CVE-2021-44228) vulnerabilities were exploited even before they made it to the National Vulnerability Database (NVD). This dangerous trend highlights the need for agility from vendors in disclosing vulnerabilities and releasing patches based on priority,” as per the report.

Organisations also need to look beyond the NVD and keep an eye out for vulnerability trends, exploitation instances, vendor advisories, and alerts from security agencies while prioritising the vulnerabilities to patch, it further added.

Among other trends, supply chain networks have been one of the primary targets of ransomware groups.

They are increasingly targeting supply chain networks to inflict major damage and cause widespread chaos. 

“A single supply chain compromise can open multiple avenues for threat actors to hijack complete system distributions across hundreds of victim networks,” it said.

Threat actors

Last year, threat actors compromised supply chain networks via third-party applications, vendor-specific products, and open-source libraries. 

Ransomware groups are increasingly sharing their services with others, similar to legitimate SaaS offerings. 

“Ransomware-as-a-service is a business model in which ransomware developers offer their services, variants, kits, or code to other malicious actors in return for payment. Exploit-as-a-service solutions allow threat actors to rent zero-day exploits from developers,” explained the report.

Additionally, malware can also be distributed through dropper-as-a-service for newbie threat actors.

This is done through programs that, when run, can execute a malicious payload onto a victim’s computer. Apart from this, trojan-as-a-service, also called malware-as-a-service, enables anyone with an internet connection to obtain and deploy customised malware in the cloud, with zero installation.

“With 157 ransomware families exploiting 288 vulnerabilities, ransomware groups are poised to wage rampant attacks in the coming years,” it said, emphasising cyber hygiene.

Moving forward, it has also become increasingly important to automate cyber hygiene, as environments continue to get more complicated, as per the report.

Cyber hygiene

Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti, said: “Ransomware groups are becoming more sophisticated, and their attacks more impactful.”

“These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks. They are also expanding their targets and waging more attacks on critical sectors, disrupting daily lives and causing unprecedented damage. Organisations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation,” Mukkamala added. Anuj Goel, CEO at Cyware, said, “The substantive change we’ve observed across the ransomware landscape is that the attackers are looking to penetrate processes like patch deployment as much as they look for gaps in protection to penetrate systems.”

“Vulnerability discovery must be met with an action that treats vulnerability data as intelligence to drive swift response decisions. As ransomware gangs operationalize their tooling, methods, and target lists, it’s essential for SecOps teams to automate processes to self-heal vulnerable assets and systems to mitigate risk through real-time intelligence operationalisation,” added Goel.

According to Aaron Sandeen, CEO of Cyber Security Works, “Ransomware is devastating to customers and employees in every sector. In 2022, we will continue to see an increase in new vulnerabilities, exploit types, APT groups, ransomware families, CWE categories, and how old vulnerabilities are leveraged to exploit organisations. Leaders need innovative and predictive help to prioritize and remediate ransomware threats.”