76% of Vulnerabilities Currently Exploited by Ransomware Groups Were Discovered Before 2020, Report Finds

Joint study by Cyber Security Works, Ivanti, Cyware, and Securin also identifies 56 new ransomware-associated vulnerabilities, for a year-end total of 344 ransomware threats in 2022

ALBUQUERQUE, NM — February 16, 2023 —

A new report from Cyber Security Works (CSW), Ivanti, Cyware, and Securin reveals the devastating toll that ransomware had on organizations globally in 2022. The study, 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management,, identified 56 new vulnerabilities associated with ransomware threats among a total of 344 threats identified in 2022—marking a 19% increase year-over-year. Threat actors are actively searching the internet and deep and dark web for 180 vulnerabilities known to be associated with ransomware. In the last quarter of 2022, these groups used ransomware to exploit 21 of these vulnerabilities.


Top Findings for 2022

  • Kill chains impact more IT products: A complete MITRE ATT&CK now exists for 57 vulnerabilities associated with ransomware. Ransomware groups can use kill chains to exploit vulnerabilities that span 81 unique products.

  • Scanners are not detecting all threats: Popular scanners do not detect 20 vulnerabilities associated with ransomware.
     
  • More APT groups are launching ransomware attacks: CSW observed more than 50 Advanced Persistent Threat (APT) groups deploying ransomware to launch attacks—a 51% increase from 33 in 2020. Four APT groups: DEV-023, DEV-0504, DEV-0832, and DEV-0950, were newly associated with ransomware in Q4 2022 and mounted crippling attacks.
     
  • Many vulnerabilities have not yet been added to CISA’s KEV list: While the CISA Known Exploited Vulnerabilities (KEVs) catalog contains 8661 vulnerabilities, 131 of the vulnerabilities associated with ransomware are yet to be added.
     
  • Multiple software products are affected by open-source issues: Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4i. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors and is exploited by AvosLocker ransomware. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.
     
  • Software weaknesses persist across releases: More than 80 Common Weakness Enumeration (CWE) flaws contribute to vulnerabilities that are being exploited by attackers. With a 54% increase from 2021 to 2022, this finding highlights the need for software vendors and application developers to evaluate software code before it is released.
     
  • Old is still gold for ransomware operators: More than 76% of vulnerabilities still being exploited by ransomware were discovered between 2010 and 2019. In 2022, of the 56 vulnerabilities tied to ransomware, 20 were discovered between 2015 and 2019.
     
  • Common Vulnerability Scoring System (CVSS) scores may mask risks: The study found 57 ransomware-associated vulnerabilities with low and medium-sized scores that are associated with infamous ransomware families and can wreak havoc on an organization and disrupt business continuity.

“Our survey findings indicate that knowledge has not translated to power for many organizations,” said Aaron Sandeen, CEO and Co-founder of CSW and Securin. “IT and security teams are being tripped up by open-source, old, and low-scoring vulnerabilities associated with ransomware. IT and security teams will want to scrutinize both in-house and vendor software to identify and remediate vulnerabilities before deploying new solutions and patch existing software as soon as vulnerabilities are announced.”

“Ransomware is top of mind for every organization whether in the private or public sector,” said Srinivas Mukkamala, Chief Product Officer, Ivanti. “Combating ransomware has been placed at the top of the agenda for world leaders because of the rising toll being placed on organizations, communities and individuals. It is imperative that all organizations truly understand their attack surface and provide layered security to their organization so they can be resilient in the face of increasing attacks.”

A Snapshot of U.S. State Security

The report also provides a special investigation into U.S. states’ attack surface. Securin passively scanned U.S. government assets exposed to the internet in all states. Key findings include:

  • The West has the greatest attack surface, with the highest number of assets.
  • The South has the most open exposures, followed closely by the West.
  • The Midwest has the most exploitable exposures, followed by the South.
  • The South has the highest number of dangerous Remote Code Execution and Privilege Escalation (RCE/PE) exploits, with a ratio of one critical exposure per 100 assets.
  • The Midwest has the highest number of ransomware exploitable exposures, followed by the West.
  • The South has the most CISA KEV exposures, followed by the Northeast.
  • The Midwest has the highest number of exposed internal assets, while the Northeast has the greatest number of high-risk services.

“IT and security teams working for the U.S. state government have the opportunity to practice good cyber hygiene and reduce their agencies’ attack surface,” said Sandeen. “Our report identifies the top 10 vulnerabilities these teams should focus on.”

Using Report Insights to Prioritize Efforts and Drive Lasting Change

IT teams that adopt automated vulnerability discovery and risk scoring platforms can prioritize key exposures by asset impact and criticality, and remediate those first.

“IT and security teams must continuously remediate key exposures to significantly reduce their organizations’ attack surface and achieve resilience against adversaries,” says Anuj Goel, Co-founder and CEO, Cyware. “Our report provides compelling insights that teams can use to focus their efforts, beginning with older and open-source vulnerabilities that attackers are continuing to exploit.”

To download the full report, visit cybersecurityworks.com/ransomware.

About CSW

Cyber Security Works (CSW) is a US Department of Homeland Security–sponsored CVE Numbering Authority whose exploit research led to the discovery of 54+ zero days in popular products, such as Oracle, D-Link, WSO2, Thembay, and Zoho. For more information, visit www.cybersecurityworks.com and follow us on LinkedIn and Twitter.

About Ivanti

Ivanti makes the Everywhere Workplace possible. In the Everywhere Workplace, employees use myriad devices to access IT applications and data over various networks to stay productive as they work from anywhere. The Ivanti Neurons automation platform connects the company’s industry-leading unified endpoint management, cybersecurity, and enterprise service management solutions, providing a unified IT platform that enables devices to self-heal and self-secure and empowers users to self-service. Ivanti manages over 200 million devices for 40,000+ customers, including 96 of the Fortune 100. Customers have chosen Ivanti to discover, manage, secure, and service their IT assets from cloud to edge and deliver excellent end-user experiences for employees, wherever and however they work.

For more information, visit www.ivanti.com and follow us on LinkedIn and Twitter.

About Cyware

Cyware helps enterprise cybersecurity teams build platform-agnostic virtual cyber fusion centers. Cyware is transforming security operations by delivering the cybersecurity industry's only Virtual Cyber Fusion Center Platform with next-generation Security Orchestration, Automation, and Response (SOAR) technology. As a result, organizations can increase speed and accuracy while reducing costs and analysts’ burnout. For more information, visit www.cyware.com and follow us on LinkedIn and Twitter.

About Securin

Securin helps customers gain resilience against evolving threats. Powered by accurate vulnerability intelligence, human expertise, and automation, Securin’s products and services have enabled organizations to make critical security decisions in managing their attack surface.

For more information, visit www.securin.io.


1As of Dec. 15, 2022

Press Contacts

Carrie Laudie
Ivanti
Associate Director, Public Relations
+1 650-963-6011
[email protected]