New Delhi -Salt Lake City: Ransomware groups are increasingly targeting zero-day vulnerabilities and supply chain networks for maximum impacts revealed Ransomware Spotlight Year-End report.
The report findings released by Ivanti identified 32 new ransomware families in 2021, bringing the total to 157 and representing a 26% increase over 2020.
These ransomware groups are continuing to target unpatched vulnerabilities and weaponize zero-day vulnerabilities in record time to instigate crippling attacks.
At the same time, they are broadening their attack spheres and finding newer ways to compromise organisational networks and fearlessly trigger high-impact assaults, observed the report.
Unpatched vulnerabilities remain the most prominent attack vectors exploited by ransomware groups. The analysis uncovered 65 new vulnerabilities tied to ransomware in 2021. A 29% increase compared to 2020, bringing the total number of vulnerabilities associated with ransomware to 288.
Alarmingly, over one-third (37%) of these newly added vulnerabilities were actively trending on the dark web and repeatedly exploited. 56% of the 223 older vulnerabilities identified prior to 2021 continued to be actively exploited by ransomware groups.
Organisations need to prioritize patching the weaponized vulnerabilities that ransomware groups are targeting.
Even before the CVEs are added to the National Vulnerability Database and patches are released, ransomware groups continue to find and leverage zero-day vulnerabilities
Some of the vulnerabilities that have been exploited include the QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116) and most recently Apache Log4j (CVE-2021-44228).
This dangerous trend highlights the need for agility from vendors in disclosing vulnerabilities and releasing patches based on priority. It also highlights the need for organisations to look beyond the NVD. They need to watch out for vulnerability trends, exploitation instances, vendor advisories, and alerts from security agencies while prioritizing the vulnerabilities to patch.
Ransomware groups are increasingly targeting supply chain networks to inflict major damage and cause widespread chaos. A single supply chain compromise can open multiple avenues for threat actors to hijack complete system distributions across hundreds of victim networks.
In 2021, threat actors compromised supply chain networks via third-party applications, vendor-specific products, and open-source libraries.
For example, the REvil group went after CVE-2021-30116 in the Kaseya VSA remote management service, launching a malicious update package that compromised all customers using onsite and remote versions of the VSA platform.
Ransomware groups are increasingly sharing their services with others, much like legitimate SaaS offerings. Ransomware-as-a-service is a business model in which ransomware developers offer their services, variants, kits, or code to other malicious actors in return for payment.
Exploit-as-a-service solutions allow threat actors to rent zero-day exploits from developers.
Additionally, dropper-as-a-service allows newbie threat actors to distribute malware through programs that, when run, can execute a malicious payload onto a victim’s computer.
Trojan-as-a-service, also called malware-as-a-service, enables anyone with an internet connection to obtain and deploy customised malware in the cloud, with zero installation.
With 157 ransomware families exploiting 288 vulnerabilities, ransomware groups are poised to wage rampant attacks in the coming years.
Organisations pay an average of $220,298 and suffer 23 days of downtime following a ransomware attack, according to Coveware.
Ransomware groups are becoming more sophisticated, and their attacks more impactful, according to Srinivas Mukkamala, SVP – Security Products, Ivanti. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks.
“They are also expanding their targets and waging more attacks on critical sectors, disrupting daily lives and causing unprecedented damage. Organisations need to be extra vigilant and patch weaponized vulnerabilities without delays,” said Mukkamala.
“This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation,” concluded Mukkamala