Teams at Securin, Cyber Security Works (CSW), Ivanti, and Cyware published their annual ransomware report — the latest edition titled “RansomwareThrough the Lens of Threat & Vulnerability Management” — showing the lingering threat ransomware still poses to organizations around the world. The lion’s share of vulnerabilities that ransomware still utilizes to hold data hostage have been around for well over a decade, the study revealed. “Overall, 76% of vulnerabilities exploited by ransomware are old — discovered between 2010 and 2019,” the report states. “In 2022, 56 vulnerabilities became tied to ransomware, out of which 20 were old vulnerabilities discovered between 2015 and 2019. These vulnerabilities are being exploited by notorious ransomware gangs, such as Conti, BlackCat, Hive, and BlackByte,” it added.
131 Ransomware Vulnerabilities not on CISA’s KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) maintains a catalog of Known Exploited Vulnerabilities (KEVs) highlighting known weaknesses within U.S. public sector entities’ computer systems. These bodies must ensure that they address the vulnerabilities in the catalog to secure themselves. Currently, the catalog has 866 vulnerabilities. However, the study found that 131 other vulnerabilities were left off the list, potentially leaving public sector organizations exposed to ransomware. Furthermore, the study claims that 16% of the ransomware-associated vulnerabilities have a low or medium CVSS score. This could potentially be very dangerous for organizations that prioritize vulnerabilities based on CVSS scores. The report also noted an alarming find, that security scanners used by many organizations — such as Nessus, Nexpose and Qualys — do not detect such ransomware vulnerabilities in networks and systems. Organizations are given a “false sense of security,” researchers said. “We identified 20 vulnerabilities associated with ransomware for which plugins and detection signatures are yet to be added,” the report stated.
APT Actors Add Ransomware to Arsenal
The report added that APT groups are adding ransomware capabilities to their arsenal. The study observed four new groups launching ransomware attacks in the last quarter of 2022. “Advanced Persistent Threat (APT) groups are adding ransomware as part of their threat arsenal to target their victims,” it adds. “In 2020, 33 APT groups were observed deploying ransomware to mount their attacks, and this count increased to 50 in 2022.” More APT groups emerged from the shadows in the year’s last quarter, according to researchers. Four new ransomware groups were identified, known only by the names DEV-023, DEV-0504, DEV-0832, and DEV-0950. In order from the list above, the first two groups used BlackCat ransomware exclusively for their targets, while the third used Vice Society, Zeppelin and BlackCat ransomware to attack organizations in education, government and retail, respectively. The fourth used CL0P and Cryptomix.
Vulnerabilities Across Products Thanks to Apache Log4j
Ransomware continues to exploit Apache Log4j vulnerabilities, and thanks to the reuse of source code in various software products, the same issues exist across multiple products, researchers noted. Researchers found six separate points that could be exploited by Satan, AvosLocker, RAR1Ransom, and BigBossHorse ransomware in multiple software products. One Apache Log4j vulnerability, exploited by AvosLocker, was present in 93 products from 16 vendors. Another Log4j vulnerability was found in 128 products from 11 vendors.
Ransomware Remains a Serious Threat
In recent years, several organizations in the United States have faced crippling ransomware attacks, the most high-profile likely being the one that caused the shutdown of Colonial Pipeline. Ransomware has also hit healthcare institutions, causing chaos for doctors, staff and patients. The rise in incidents led the White House and federal agencies, such CISA and the FBI, to address ransomware threats. Despite these initiatives, the US saw no decline in ransomware incidents in 2022. If this story caught your attention, we recommend reading about ransomware-as-a-service (RaaS). Many threat actors use the malware provided by these syndicates. Small business owners, management and staff should also read up on our beginner’s guide to cybersecurity for small businesses.