Ransomware attackers probe known common vulnerabilities and threats (CVEs) for vulnerabilities and quickly exploit them by launching attacks faster than the vendor teams can fix. Regrettably, Ransomware attacker also make attacks more complex, costly, and difficult to identify and stop by reacting to the weaknesses of potential targets faster than organizations can react.
The knowledge gap about ransomware is growing
Two current research studies, Ivanti’s latest ransomware report performed with Cyber Security Works and Cyware, and a second study by Forrester Consulting on behalf of Cyware, show that the gap between the speed at which businesses can detect a ransomware threat and the speed of a cyberattack is growing. Both studies provide a strong estimate of how far behind organizations are in detecting and countering ransomware attacks.
Ransomware attackers are expanding their attack arsenal faster and faster and are quickly adopting new technologies. The Ransomware Index Update Q3 2021 identified ransomware groups that added 12 new vulnerability assignments to their attack arsenal in the third quarter, twice in the previous quarter. Newer, more sophisticated techniques such as Trojan-as-a-Service and Dropper-as-a-Service (DaaS) are used in attacks. Additionally, more ransomware code has leaked online over the past year as more advanced cyber criminals seek to recruit less advanced gangs as part of their ransomware networks.
Ransomware continues to be one of the fastest growing cyberattack strategies of 2021. The number of known security vulnerabilities related to ransomware increased from 266 to 278 in the third quarter of 2021 alone. There was also a 4.5% increase in trending vulnerabilities actively exploited to launch attacks, bringing the total to 140. Additionally, Ivanti’s index update discovered five new ransomware families in the third quarter, helping the total number of ransomware families worldwide reach 151.
Ransomware groups mine known CVEs to find and exploit zero-day vulnerabilities before the CVEs are added to the National Vulnerability Database (NVD) and patches are released. 258 CVEs created prior to 2021 are now linked to ransomware based on current attack patterns. The high number of legacy CVEs further shows how aggressively ransomware attackers capitalize on the weaknesses of recent CVEs. That’s 92.4% of all ransomware-related vulnerabilities tracked today.
Threat intelligence is difficult to find
According to Forrester’s Opportunity Snapshot study commissioned by Cyware, 71 percent of security leaders say their teams need access to threat intelligence, security operational data, incident response, and vulnerability data. However, 65% now find it challenging to enable security teams to access data in a cohesive manner. Today, 64 percent cannot share cross-functional cyber threat data, which limits the scope of the Security Operations Center (SOC), incident response and threat intelligence between departments. The following graphic shows how far behind organizations are in providing real-time threat intelligence. The knowledge gap between businesses and ransomware attackers is growing, accelerating how quickly attackers capitalize on known CVE weaknesses.
The inability of companies to access real-time threat intelligence data means that ransomware attackers can pursue more complex and sophisticated attacks more quickly while demanding higher ransom payments. The Treasury Department’s Financial Crimes Enforcement Network or FinCEN published a report in June 2021 that detected suspicious activity in ransomware-related reports of suspicious activity (SARs) in the first six months of 2021 reached $ 590 million, surpassing the $ 416 million reported for all of 2020. FinCEN also found that $ 5.2 billion in Bitcoin was donated to the top ten ransomware gangs over the past three years. The average ransom is now $ 45 million, with Bitcoin being the preferred currency of payment.
Attack on the vulnerabilities in CVEs
The Q3 2021 Ransomware Index Spotlight Report shows how ransomware attackers investigate longstanding CVEs to find vulnerabilities in legacy systems that can be exploited that are often not discovered by inadequately protected organizations. An example is how HelloKitty ransomware uses CVE-2019-7481, a CVE with a Common Vulnerability Scoring System (CVSS) score of 7.5. Additionally, the index notes that the Cring ransomware family added two vulnerabilities (CVE-2009-3960 and CVE-2010-2861) that have existed for over a decade. Patches are available, but organizations remain vulnerable to ransomware attacks as they have not yet patched legacy applications and operating systems. For example, a successful ransomware attack recently took place on a ColdFusion server that was running an outdated version of Microsoft Windows. The following compares the schedules of two CVEs and illustrates how the Cring ransomware has been attacked for over a decade since it was first reported:
As of the 3rd quarter of 2021, there are 278 CVEs or Security vulnerabilities related to ransomwareto quantify the threat’s rapid growth. In addition, 12 vulnerabilities are now linked to seven strains of ransomware. One of the new vulnerabilities identified this quarter follows the zero-day exploit in Dec.
On July 7th, 2021, Kaseya confirmed the attack and was admitted to the NVD on July 9th, 2021. A patch for this was published on 07/11/2021. Unfortunately, the vulnerability was found by the REvil ransomware itself as a security team. exploited Kaseya was preparing to release a patch for its systems (after the vulnerability was reported in April 2021). The following table provides insights into the 12 newly assigned vulnerabilities by CVE, sorted by CVSS score. Organizations that know they have vulnerabilities associated with these CVEs need to accelerate their efforts to obtain vulnerability intelligence, threat intelligence, incident response, and security operational data.
The balance of power is shifting to ransomware attackers as new technologies are added to their arsenals and attacks launched more quickly. Because of this, organizations need greater urgency to standardize threat intelligence, Patch management, and most importantly, zero trust security when they have a chance to stop ransomware attacks. REvil’s Kaseya attack confirms the ongoing trend of ransomware groups exploiting zero-day vulnerabilities even before the National Vulnerability Database (NVD) publishes them. The attack also underscores the need for an agile patch cadence that fixes vulnerabilities as soon as they are identified, rather than waiting for an inventory-driven and often slow roll-out of patch management across all device inventories.
VentureBeat’s mission is to be a digital marketplace for tech decision makers to gain knowledge of transformative technologies and transactions. Our website provides important information on data technologies and strategies to help you run your organization. We invite you to become a member of our community to gain access:
- current information on the topics of interest to you
- our newsletters
- closed thought leadership content and discounted access to our award-winning events such as Transform 2021: Learn more
- Network functions and more
#Ransomware #attacks #complex #difficult #prevent