Zero Day vulnerabilities were weaponized in record time; automated ransomware-associated threat services were empowering bad actors with unprecedented scale.
In a recent ransomware report for 2021 based on data gathered from a variety of sources, including proprietary data, publicly available threat databases and research, and penetration testing teams, 32 new ransomware families were identified, bringing the total to 157 and representing a 26% increase over that of 2020.
The report also found that ransomware groups were continuing to target unpatched vulnerabilities and weaponize Zero Day vulnerabilities in record time to instigate crippling attacks. At the same time, they have been broadening their attack spheres and finding newer ways to compromise organizational networks and launch high-impact assaults.
Following are a few top observations and trends gleaned from the sources used in the report:
- A total of 157 ransomware families exploited 288 vulnerabilities, comprising 65 new vulnerabilities tied to ransomware and representing a 29% increase compared to that in 2020.
- 37% of the newly added vulnerabilities were actively trending on the Dark Web and repeatedly exploited. Also, 56% of the 223 older vulnerabilities identified prior to 2021 continued to be actively exploited by ransomware groups covered in the study data.
- Ransomware groups in the study continued to find and leverage Zero Day vulnerabilities even before the CVEs had been added to the National Vulnerability Database (NVD) and patches released. The QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116) and most recently Apache Log4j (CVE-2021-44228) vulnerabilities were exploited even before they had made it to the NVD.
- Threat actors covered in the study compromised supply chain networks via third-party applications, vendor-specific products and open-source libraries. A single supply chain compromise can open multiple avenues for threat actors to hijack complete system distributions across hundreds of victim networks. For example, the REvil group went after CVE-2021-30116 in the Kaseya VSA remote management service, launching a malicious update package that compromised all customers using onsite and remote versions of the VSA platform.
- Ransomware-as-a-Service and Exploit-as-a-Service groups had allowed threat actors to rent Zero Day exploits from developers. Additionally, Dropper-as-a-Service allowed newbie threat actors to distribute malware through programs that , when run, can execute a malicious payload. Trojan-as-a-Service (or Malware-as-a-Service) enabled anyone with an internet connection to obtain and deploy customised malware in the Cloud, with zero installation.
Srinivas Mukkamala, Senior Vice President of Security Products, Ivanti, said threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks. “Organizations need to be extra vigilant and patch weaponized vulnerabilities without delay. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”
Aaron Sandeen, CEO, Cyber Security Works, said 2022 will witness an increase in new vulnerabilities, exploit types, APT groups, ransomware families, CWE categories and how old vulnerabilities are leveraged to exploit organizations. “Leaders need innovative and predictive help to prioritize and remediate ransomware threats.”
Cyware’s CEO Anuj Goel noted that attackers were looking to penetrate processes like patch deployment as much as they looked for gaps in protection to penetrate systems. “Vulnerability discovery must be met with actions that treat vulnerability data as intelligence to drive swift response decisions. As ransomware gangs operationalize their tooling, methods and target lists, it is essential for SecOps teams to automate processes to self-heal vulnerable assets and systems to mitigate risk through real-time intelligence operationalization.”