How weaponized ransomware is rapidly becoming deadlier

We look forward to presenting Transform 2022 in person again on July 19th and virtually from July 20th to 28th. Join us for insightful conversations and exciting networking opportunities. Register today!

Ransomware attackers continue to exploit vulnerabilities faster than ever, setting an unrelenting pace. A recent survey by Sophos found that 66% of businesses worldwide were victims of a ransomware attack in the past year, up 78% year-on-year. Ivantis Ransomware Index Report Q1 2022, released today, explains why ransomware is becoming increasingly deadly.

Ivanti’s latest index revealed that the number of ransomware-related vulnerabilities increased by 7.6% in the first quarter of 2022 compared to the end of 2021. The report uncovered 22 new ransomware-related vulnerabilities (310 in total), 19 of them linked to Conti, one of the most prolific ransomware groups of 2022. Conti has pledged support to the Russian government following the invasion of Ukraine. According to Ivanti’s report, global ransomware-related vulnerabilities jumped from 57 to 310 in two years.

Comparison of National Vulnerability Database (NVD) vulnerabilities with armed vulnerabilities, vulnerabilities with dangerous capabilities, those tied to ransomware, and trends with active exploits and Cybersecurity & Infrastructure Agency Known Exploited Vulnerabilities (CISA KEVs) shows how ransomware attackers are aggressively expanding attack surfaces today.

The ransomware designer’s goal: to make payloads more deadly and undetectable

How quickly and undetected ransomware can infiltrate a network is the primary design goal of ransomware creators. However, Ivanti’s recent report shows that ransomware groups are focused on evading detection while capitalizing on data gaps and longstanding gaps in legacy CVEs.

“Threat actors are increasingly targeting cyber hygiene vulnerabilities, including legacy vulnerability management processes,” Srinivas Mukkamala, senior VP and general manager of security products at Ivanti, told Venturebeat. “Today, many security and IT teams struggle to identify the real risks that represent vulnerabilities, and as a result, misprioritize vulnerabilities for remediation. For example, many only patch new vulnerabilities or those disclosed in the NVD. Others just use the Common Vulnerability Scoring System (CVSS) to rate and prioritize vulnerabilities.”

Making ransomware payloads more deadly and undetectable is a reliable revenue stream for cybersecurity gangs and Advanced Persistent Threat (APT) groups. In 2020, $692 million in ransomware payments were made, nearly double what Chainanalysis originally identified by tracking publicly available data.

Smash-and-grab ransomware attacks are becoming the norm. APT, cybercriminals and ransomware groups are taking a faster and more versatile approach to their attack strategies to evade detection. Throughout the first quarter of this year, attacks focused on legacy ransomware-related vulnerabilities grew the fastest at 17.9%. Ransomware attackers targeted CVE-2015-2546, a seven-year-old medium-severity vulnerability, for ransomware attacks in Q1. Two other vulnerabilities from 2016 and 2017 were also exploited in ransomware attacks in Q1.

The Ivanti report also found that 11 ransomware-related vulnerabilities went undetected by popular scanners. Ransomware developers with advanced skills perform regression testing and the equivalent of software quality assurance on their bots, payloads, and executables before releasing them. Regression testing against scanners is common in the largest APT and ransomware groups.

Also, in the first quarter of this year, three new APT groups began deploying Exotic Lily ransomware, APT 35 and DEV-0401. Ransomware creators have also created four new ransomware families (AvosLocker, Karma, BlackCat, and Night Sky) to attack their targets.

In the first quarter of this year, 22 new ransomware-related CVEs were identified, reflecting how effective they are as a revenue-generating tactic for APT, cybercriminals and ransomware gangs — There were 22 new CVEs associated with Ransomware identified in the first quarter of this year, reflecting how effective they are as a revenue-generating tactic for APT, cybercriminals, and ransomware gangs

Defeat ransomware with better data

Ransomware developers are now so fast that they can create new bots to deliver payloads, including executables, faster than a vulnerability can be patched. What is needed is a data-driven approach to patch management that leverages the predictive accuracy of machine learning to identify when endpoints, devices, and assets need a specific patch immediately to stay protected.

The future of ransomware detection and security is data-driven patch management that prioritizes and quantifies adversary risk based on threat intelligence, current exploit trends, and validation by security analysts. Microsoft’s acquisition of RiskIQ, RiskSense’s acquisition of Risk Sense and Ivantis Vulnerability Intelligence and Vulnerability Risk Rating, and Broadcom’s acquisition of Symantec are in part due to the need for organizations to take a more data-driven approach to protecting their networks from ransomware.

VentureBeat’s mission is intended to be a digital marketplace for technical decision makers to acquire knowledge about transformative enterprise technology and to conduct transactions. Learn more about membership.