The report highlights a 7.6% spike in ransomware vulnerabilities and APT groups.
In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organizations like Okta, Globant and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicates that increasing vulnerabilities, new advanced persistent threat (APT) groups and new ransomware families are contributing to ransomware’s continued prevalence and proﬁtability.
The Top Stats
Published in collaboration with Securin, an attack surface management leader, Ivanti, the creator of the Ivanti Neurons hyper-automation platform, and Cyware, a leading provider of the technology platform to build Cyber Fusion Centers, the Ransomware 2022 Q1 Index Report’s top ﬁndings include:
- 22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high risk severity
- 19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang
- Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets
- 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter
- 11 vulnerabilities tied to ransomware remain undetected by popular scanners
- 624 unique vulnerabilities were found within the 846 healthcare products analyzed
Increase in Ransomware Vulnerabilities
The 7.6% increase in vulnerabilities brings the total number to 310, highlighting the fact that ransomware operators are relentlessly going after weaknesses that could be quickly weaponized. CSW researchers also noticed a 6.8% increase in vulnerabilities trending in the deep and dark web and hacker channels, proving the signiﬁcance of these vulnerabilities in future ransomware attacks. Our threat intelligence research also predicts a high possibility of exploitation for 19 vulnerabilities, of which 14 were warned as having high threat chatter more than 10 months prior to the time of publishing this report.
Increase in APT Groups Using Ransomware
The Q1 research uncovered that three new APT Groups, Exotic Lily, APT 35 and DEV-0401, have started using ransomware to mount attacks on their targets, increasing the overall number of global APT groups from 40 to 43. These groups have long been known to use espionage and are major players in the Russia-Ukraine cyberwar and conﬂict. With Conti ransomware operators openly pledging their support to the Russian government, it was not surprising that Conti added 27 new vulnerabilities to its arsenal in Q1 2022.
“Today, on average, vulnerabilities are being weaponized within eight days of being published by the vendor. Latencies are dangerous windows of opportunities that are afforded to the attackers, and they spare no time in exploiting them,” said Aaron Sandeen, CEO and co-founder, CSW. “We also noticed that attackers are going after speciﬁc types of weaknesses (CWEs) associated with key products. Organizations will need to utilize attack surface management and perform additional application scanning to understand and prioritize vulnerabilities associated with ransomware.”
Scanners Still Aren’t Detecting 3.5% of All Vulnerabilities
The report reveals that from the previous quarter, there has been a decrease in the number of undetected vulnerabilities – from 22 to 11. These 11 vulnerabilities are associated with ransomware groups such as Ryuk, Petya and Locky.
Healthcare Must be on High Alert
Additionally, CSW researchers analyzed 846 products used in the healthcare sector and investigated 624 unique vulnerabilities that exist in them. Forty of them have public exploits available, while two vulnerabilities, CVE-2020-0601 and CVE-2021-34527, in Biomerieux Operating System and Stryker’s ADAPT, NAV3i, NAV3 surgical navigation platforms, Scopis ENUs, respectively, are being exploited by four ransomware operators – BigBossHorse, Cerber, Conti, and Vice Society.
Anuj Goel, co-founder, and CEO of Cyware, concluded, “One of the major concerns that has surfaced from this research is the lack of complete threat visibility for security teams due to cluttered threat intelligence available across sources. If security teams have to mitigate ransomware attacks proactively, they must tie their patch and vulnerability response to a centralized threat intelligence management workﬂow that drives complete visibility into the shape-shifting ransomware attack vectors through multi-source intelligence ingestion, correlation and security actioning.”
To download the full report, visit https://cybersecurityworks.com/ransomware/.