Ivanti, the provider of the Ivanti Neurons automation platform that discovers, manages, secures, and services IT assets from cloud to edge, today announced the results of the Ransomware Index Report Q2-Q3 2022 that it conducted with Cyber Security Works, a Certifying Numbering Authority (CNA), and Cyware, a leading provider of the technology platform to build Cyber Fusion Centers. The report revealed that ransomware has grown by 466% since 2019, and is increasingly being used as a precursor to physical war as seen in the Russia conflict in Ukraine and the Iran and Albania cyberwar.
Ransomware groups are continuing to grow in volume and sophistication with 35 vulnerabilities becoming associated with ransomware in the first three quarters of 2022 and 159 trending active exploits. Complicating matters, lack of sufficient data and threat context is making it hard for organizations to effectively patch their systems and efficiently mitigate vulnerability exposure.
The report identified 10 new ransomware families (Black Basta, Hive, BianLian, BlueSky, Play, Deadbolt, H0lyGh0st, Lorenz, Maui, and NamPoHyu), bringing the total to 170. With 101 CVEs to phish, ransomware attackers are increasingly relying on spear phishing techniques to lure unsuspecting victims to deliver their malicious payload. Pegasus is a powerful example where a simple phishing message was used to create initial backdoor access coupled with iPhone vulnerabilities lead to infiltration and compromise of many worldwide figures.
Ransomware needs human interaction, and phishing as the only attack vector is a myth. We analyzed and mapped 323 current ransomware vulnerabilities to MITRE ATT&CK framework to exact tactics, techniques, and procedures that can be used as a kill chain to compromise an organization and found that 57 of them lead to a complete system takeover starting from initial access to exfiltration.
The report also identified two new ransomware vulnerabilities (CVE-2021-40539 and CVE-2022-26134), both of which were exploited by prolific ransomware families such as AvosLocker and Cerber either before or on the same day they were added to the National Vulnerability Database (NVD). These statistics emphasize that if organizations rely solely on NVD disclosure to patch vulnerabilities they will be susceptible to attacks.
The report revealed that CISA’s Known Exploited Vulnerabilities (KEV) catalog, which provides U.S. public sector companies and government agencies with a list of vulnerabilities to patch within a deadline, is missing 124 ransomware vulnerabilities.
Srinivas Mukkamala, Chief Product Officer at Ivanti, said: “IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. This includes leveraging automation technologies that can correlate data from diverse sources (i.e., network scanners, internal and external vulnerability databases, and penetration tests), measure risk, provide early warning of weaponization, predict attacks, and prioritize remediation activities. Organizations that continue to rely on traditional vulnerability management practices, such as solely leveraging the NVD and other public databases to prioritize and patch vulnerabilities, will remain at high risk of cyberattack.”
Further highlighting the need to evolve beyond traditional vulnerability management practices is the fact that popular scanners are missing vulnerabilities. The report found that 18 vulnerabilities tied to ransomware are not being detected by popular scanners.
Aaron Sandeen, CEO of Cyber Security Works, said, “It’s a scary prospect if the scanners that you depend on are not identifying the vulnerabilities exposed. Organizations need to adopt an attack surface management solution that can discover exposures across all organizational assets.”
Additionally, the report analyzed the impact of ransomware on critical infrastructure, with the three worst-hit sectors being healthcare, energy, and critical manufacturing. The report revealed that 47.4% of ransomware vulnerabilities affect healthcare systems, 31.6% affect energy systems, and 21.1% affect critical manufacturing.
Anuj Goel, Co-founder and CEO at Cyware, said, “Even though post-incident recovery strategies have improved over time, the old adage of prevention being better than cure still rings true. In order to correctly analyze the threat context and effectively prioritize proactive mitigation actions, vulnerability intelligence for SecOps must be operationalized through resilient orchestration of security processes to ensure the integrity of vulnerable assets.”
The report also offered insights into current and future ransomware trends. Notably, malware with cross-platform capabilities soared high in demand as ransomware operators could easily target multiple operating systems via a single codebase. The report also uncovered a significant number of attacks on third-party providers of security solutions and software code libraries, resulting in a plethora of possible victims. Looking ahead, organizations can expect to see new ransomware gangs emerge as prominent groups like Conti and DarkSide supposedly shut down. New gangs will likely reuse or modify the source code and exploit methods adopted by defunct ransomware groups.
The Ransomware Index Spotlight Report is based on data gathered from a variety of sources, including proprietary data from Ivanti and CSW, publicly available threat databases, and threat researchers and penetration testing teams. Click here to read the full report.
Ivanti makes the Everywhere Workplace possible. In the Everywhere Workplace, employees use myriad devices to access IT applications and data over various networks to stay productive as they work from anywhere. The Ivanti Neurons automation platform connects the company’s industry-leading unified endpoint management, cybersecurity, and enterprise service management solutions, providing a unified IT platform that enables devices to self-heal and self-secure and empowers users to self-service. Over 45,000 customers, including 96 of the Fortune 100, have chosen Ivanti to discover, manage, secure, and service their IT assets from cloud to edge, and deliver excellent end-user experiences for employees, wherever and however they work. For more information, visit www.ivanti.com and follow @GoIvanti.
Cyware helps enterprise cybersecurity teams build platform-agnostic cyber fusion centers by delivering cyber threat intelligence and next-generation SOAR (security orchestration, automation, and response) solutions. As a result, organizations can increase speed and accuracy while reducing costs and analyst burnout. Cyware's Cyber Fusion solutions make secure collaboration, information sharing, and enhanced threat visibility a reality for MSSPs, enterprises, government agencies, and sharing communities (ISAC/ISAO/CERTs and others) of all sizes and needs. Visit cyware.com for more information or follow us on LinkedIn and Twitter.
CSW is a cybersecurity services company focused on attack surface management and penetration testing as a service. Our innovation in vulnerability and exploit research led us to discover 45+ zero days in popular products such as Oracle, D-Link, WSO2, Thembay, Zoho, etc., among others. We became a CVE Numbering Authority to enable thousands of bug bounty hunters and play a critical role in the global effort of vulnerability management. As an acknowledged leader in Vulnerability research and analysis CSW is ahead of the game helping organizations world-wide to secure their business from ever-evolving threats. For more information visit www.cybersecurityworks.com or follow us on LinkedIn and Twitter.