Ransomware now being used as a precursor to physical war: Report
Ransomware threats have grown by 466% since 2019, and it is increasingly being used as a precursor to physical war as seen in the Russia conflict in Ukraine and the Iran-Albania cyberwar.
These are the findings of the Ransomware Index Report Q2-Q3 2022 conducted by US-based IT software company Ivanti with Cyber Security Works, a certifying numbering authority (CNA), and Cyware, a provider of the technology platform to build cyber fusion centres.
Ransomware groups are continuing to grow in volume and sophistication with 35 vulnerabilities becoming associated with ransomware in the first three quarters of 2022 and 159 trending active exploits.
Complicating matters, lack of sufficient data and threat context is making it hard for organisations to effectively patch their systems and efficiently mitigate vulnerability exposure.
The report identified 10 new ransomware families (Black Basta, Hive, BianLian, BlueSky, Play, Deadbolt, H0lyGh0st, Lorenz, Maui, and NamPoHyu), bringing the total to 170.
With 101 common vulnerabilities and exposures (CVEs) to phish, ransomware attackers are increasingly relying on spear phishing techniques to lure unsuspecting victims to deliver their malicious payload.
Pegasus is a powerful example where a simple phishing message was used to create initial backdoor access, which, coupled with iPhone vulnerabilities, led to infiltration and compromise of many worldwide figures.
Ransomware needs human interaction, and phishing as the only attack vector is a myth. The report analysed and mapped 323 current ransomware vulnerabilities to MITRE ATT&CK framework to exact tactics, techniques, and procedures that can be used as a kill chain to compromise an organisation and found that 57 of them lead to a complete system takeover starting from initial access to exfiltration.
The report also identified two new ransomware vulnerabilities (CVE-2021-40539 and CVE-2022-26134), both of which were exploited by prolific ransomware families such as AvosLocker and Cerber either before or on the same day they were added to the national vulnerability database (NVD). These statistics emphasise that if organisations rely solely on NVD disclosure to patch vulnerabilities, they will be susceptible to attacks.
The report revealed that CISA’s known exploited vulnerabilities (KEV) catalog, which provides US public sector companies and government agencies with a list of vulnerabilities to patch within a deadline, is missing 124 ransomware vulnerabilities.
"IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. This includes leveraging automation technologies that can correlate data from diverse sources (i.e., network scanners, internal and external vulnerability databases, and penetration tests), measure risk, provide early warning of weaponisation, predict attacks, and prioritise remediation activities. Organisations that continue to rely on traditional vulnerability management practices, such as solely leveraging the NVD and other public databases to prioritise and patch vulnerabilities, will remain at high risk of cyber-attack,” said Srinivas Mukkamala, chief product officer at Ivanti.
Further highlighting the need to evolve beyond traditional vulnerability management practices is the fact that popular scanners are missing vulnerabilities.
The report found that 18 vulnerabilities tied to ransomware are not being detected by popular scanners.
“It’s a scary prospect if the scanners that you depend on are not identifying the vulnerabilities exposed. Organisations need to adopt an attack surface management solution that can discover exposures across all organisational assets,” said Aaron Sandeen, CEO of Cyber Security Works, said,
The report analysed the impact of ransomware on critical infrastructure, with the three worst-hit sectors being healthcare, energy, and critical manufacturing. The report revealed that 47.4% of ransomware vulnerabilities affect healthcare systems, 31.6% affect energy systems, and 21.1% affect critical manufacturing.
“Even though post-incident recovery strategies have improved over time, the old adage of prevention being better than cure still rings true. In order to correctly analyse the threat context and effectively prioritise proactive mitigation actions, vulnerability intelligence for SecOps must be operationalised through resilient orchestration of security processes to ensure the integrity of vulnerable assets,” said Anuj Goel, co-founder and CEO at Cyware.
The report also offered insights into current and future ransomware trends.
Malware with cross-platform capabilities soared high in demand as ransomware operators could easily target multiple operating systems via a single codebase.
The report uncovered a significant number of attacks on third-party providers of security solutions and software code libraries, resulting in a plethora of possible victims.
Looking ahead, organisations can expect to see new ransomware gangs emerge as prominent groups like Conti and DarkSide supposedly shut down. New gangs will likely reuse or modify the source code and exploit methods adopted by defunct ransomware groups, the report noted.