Ransomware gangs are increasingly taking advantage of unpatched vulnerabilities in software applications and operating systems to acquire access to company networks, and they are adopting zero-day vulnerabilities quickly. Unpatched vulnerabilities are currently the major attack vector in ransomware attacks, as per Ivanti’s Ransomware End of Year Spotlight report.
Ivanti together with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware in creating the report, which discovered 32 new ransomware variants in 2021, which increased by 26% compared to the previous year. There are now 157 known ransomware families that are being utilized in cyberattacks on organizations.
Ivanti states 65 new vulnerabilities were discovered in 2021 that ransomware groups are identified to have exploited. This number is 29% greater year-over-year. The total number of vulnerabilities linked to ransomware attacks is 288. 37% of the new vulnerabilities were trending on the dark web and were exploited in several attacks, and 56% of the 223 older vulnerabilities are still regularly taken advantage of by ransomware gangs.
Ransomware groups and the preliminary access brokers they frequently use are looking for zero-day vulnerabilities to be used in their attacks even before CVE codes are assigned to the vulnerabilities and are added in the National Vulnerability Database (NVD). Examples are the following: QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and Apache Log4j (CVE-2021-44228) vulnerabilities.
The report shows the value of using patches quickly and the need to prioritize patching to make sure that weaponized vulnerabilities are patched first. Although it is crucial to monitor vulnerabilities as they are included in the NVD, security teams ought to also register to receive threat intelligence information and security advisories from security institutions and must be on the lookout for exploitation cases and vulnerability trends.
Though ransomware attacks on individual businesses are typical, ransomware gangs are seeking major paydays and are increasingly targeting managed service providers and supply chain networks so as to inflict damage on as many companies as possible. A supply chain attack or an attack on a managed service provider makes it possible for a ransomware gang to perform ransomware attacks on dozens or even hundreds of victim systems, just like in the REvil’s ransomware attack on the Kaseya VSA remote management service.
Ransomware groups are likewise increasingly collaborating with others in these ways:
- ransomware-as-a-service (RaaS), where affiliates are employed to carry out a lot of attacks for a portion of the ransom payments
- exploit-as-a-service, where exploits for known vulnerabilities are rented from developers
- dropper-as-a-service operations, where ransomware gangs pay malware operators to put malicious payloads on vulnerable devices.
Ransomware groups are more sophisticated now, and their attacks are more successful. These threat actors are utilizing automated tool kits to exploit vulnerabilities and move deeper into compromised networks, stated Srinivas Mukkamala, Ivanti’s Senior Vice President of Security Products. Companies must be extra cautious and patch weaponized vulnerabilities immediately. This demands utilizing a mix of risk-based vulnerability prioritization and automated patch intelligence to determine and prioritize vulnerability weaknesses and then speed up remediation.