A new report from Cyber Security Works (CSW), Ivanti, Cyware, and Securin reveals ransomware's devastating toll on organisations globally in 2022, with 20 of the 56 vulnerabilities tied to ransomware last year having been initially discovered between 2015 and 2019.
The study, 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management, identified 56 new vulnerabilities associated with ransomware threats among a total of 344 threats identified in 2022, representing a 19% annual increase.
Threat actors are actively searching the internet and deep and dark web for 180 vulnerabilities associated with ransomware. In the last quarter of 2022, these groups used ransomware to exploit 21 vulnerabilities.
Critical takeaways for 2022 include:
- Kill chains impact more IT products: A complete MITRE ATT&CK now exists for 57 vulnerabilities associated with ransomware. Ransomware groups can use kill chains to exploit vulnerabilities that span 81 unique products.
- Scanners are not detecting all threats: Popular scanners do not detect 20 vulnerabilities associated with ransomware.
- More APT groups are launching ransomware attacks: CSW observed more than 50 Advanced Persistent Threat (APT) groups deploying ransomware to launch attacks—a 51% increase from 33 in 2020. Four APT groups: DEV-023, DEV-0504, DEV-0832, and DEV-0950, were newly associated with ransomware in Q4 2022 and mounted crippling attacks.
- Many vulnerabilities have not yet been added to CISA’s KEV list: While the CISA Known Exploited Vulnerabilities (KEVs) catalogue contains 8,661 vulnerabilities, 131 of the vulnerabilities associated with ransomware are yet to be added.
- Multiple software products are affected by open-source issues: Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4i. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors and is exploited by AvosLocker ransomware. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.
- Software weaknesses persist across releases: More than 80 Common Weakness Enumeration (CWE) flaws contribute to vulnerabilities that are being exploited by attackers. With a 54% increase from 2021 to 2022, this finding highlights the need for software vendors and application developers to evaluate software code before it is released.
- Old is still gold for ransomware operators: More than 76% of vulnerabilities still being exploited by ransomware were discovered between 2010 and 2019. In 2022, of the 56 vulnerabilities tied to ransomware, 20 were discovered between 2015 and 2019.
- Common Vulnerability Scoring System (CVSS) scores may mask risks: The study found 57 ransomware-associated vulnerabilities with low and medium-sized scores associated with infamous ransomware families and can wreak havoc on an organisation and disrupt business continuity.
“Our survey findings indicate that knowledge has not translated to power for many organisations,” says Aaron Sandeen, CEO and Co-founder of CSW and Securin. “IT and security teams are being tripped up by open-source, old, and low-scoring vulnerabilities associated with ransomware. IT and security teams will want to scrutinise both in-house and vendor software to identify and remediate vulnerabilities before deploying new solutions and patch existing software as soon as vulnerabilities are announced.”
Ransomware is top of mind for every organisation, whether in the private or public sector, says Srinivas Mukkamala, Chief Product Officer, Ivanti. “Combating ransomware has been placed at the top of the agenda for world leaders because of the rising toll being placed on organisations, communities and individuals. It is imperative that all organisations truly understand their attack surface and provide layered security to their organisation so they can be resilient in the face of increasing attacks.”
The report also provides a special investigation into US states’ attack surface. Securin passively scanned US government assets exposed to the internet in all states.
Key findings include:
- The West has the most significant attack surface, with the highest number of assets.
- The South has the most open exposures, followed closely by the West.
- The Midwest has the most exploitable exposures, followed by the South.
- The South has the highest number of dangerous Remote Code Execution and Privilege Escalation (RCE/PE) exploits, with a ratio of one critical exposure per 100 assets.
- The Midwest has the highest ransomware-exploitable exposures, followed by the West.
- The South has the most CISA KEV exposures, followed by the Northeast.
- The Midwest has the highest number of exposed internal assets, while the Northeast has the most significant number of high-risk services.
“IT and security teams working for the U.S. state government have the opportunity to practice good cyber hygiene and reduce their agencies’ attack surface,” says Sandeen. “Our report identifies the top 10 vulnerabilities these teams should focus on.”
IT teams that adopt automated vulnerability discovery and risk scoring platforms can prioritise key exposures by asset impact and criticality and remediate those first.
“IT and security teams must continuously remediate key exposures to significantly reduce their organisations’ attack surface and achieve resilience against adversaries,” says Anuj Goel, Co-founder and CEO of Cyware.