How weaponized ransomware is quickly becoming more lethal

Enterprise

We are excited to bring Transform 2022 back in-person July 19 and virtually July 20 – 28. Join AI and data leaders for insightful talks and exciting networking opportunities. Register today!


Ransomware attackers continue to weaponize vulnerabilities faster than ever, setting a relentless pace. A recent survey published by Sophos found that 66% of organizations globally were the victims of a ransomware attack last year, a 78% increase from the year beforeIvanti’s Ransomware Index Report Q1 2022, released today, helps to explain why ransomware is becoming more lethal. 

Ivanti’s latest index found that there’s been a 7.6% jump in the number of vulnerabilities associated with ransomware in Q1, 2022, compared to the end of 2021. The report uncovered 22 new vulnerabilities tied to ransomware (bringing the total to 310), with 19 being connected to Conti, one of the most prolific ransomware groups of 2022. Conti has pledged support for the Russian government following the invasion of Ukraine. Around the world, vulnerabilities tied to ransomware have skyrocketed in two years from 57 to 310, according to Ivanti’s report.  

Ransomware designer’s goal: Make payloads more lethal and undetectable  

How quickly and undetected ransomware can infiltrate a network is the primary design goal of ransomware creators. However, Ivanti’s latest report shows ransomware groups concentrate on evading detection while capitalizing on data gaps and long-standing gaps in legacy CVEs.

“Threat actors are increasingly targeting flaws in cyber hygiene, including legacy vulnerability management processes,” Srinivas Mukkamala, senior VP and general manager of security products at Ivanti, told Venturebeat. “Today, many security and IT teams struggle to identify the real-world risks that vulnerabilities pose and therefore improperly prioritize vulnerabilities for remediation. For example, many only patch new vulnerabilities or those that have been disclosed in the NVD. Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities.” 

Making ransomware payloads more lethal and undetectable is a reliable revenue source for cybersecurity gangs and Advanced Persistent Threat (APT) groups. $692 million was made in ransomware payments during 2020, nearly double what Chainanalysis initially identified by tracking publicly available data. 

Smash-and-grab ransomware attacks are becoming the norm. APT, cybercriminal and ransomware groups take a faster, multifaceted approach to their attack strategies to evade detection. Throughout Q1 of this year, attacks focused on older vulnerabilities associated with Ransomware grew the fastest, at 17.9%. Ransomware attackers targeted CVE-2015-2546, a seven-year-old medium-severity vulnerability, for ransomware attacks in Q1. Two other vulnerabilities from 2016 and 2017 were also used as part of ransomware attacks in Q1.

The Ivanti report also found that 11 vulnerabilities tied to ransomware were undetectable by popular scanners. Ransomware creators with advanced skills are doing regression testing and the equivalent of software quality assurance on their bots, payloads and executables before releasing them into the wild. Regression testing against scanners is common in the largest APT and ransomware groups.

Also, during Q1 of this year, three new APT groups began deploying ransomware Exotic Lily, APT 35 and DEV-0401. Ransomware creators also created four new ransomware families (AvosLocker, Karma, BlackCat and Night Sky) to attack their targets.

 Defeating ransomware with better data 

Ransomware creators are so fast today that they can create new bots to deliver payloads, including executables, faster than a vulnerability can be patched. What’s needed is a data-driven approach to patch management that capitalizes on the predictive accuracy of machine learning to identify when endpoints, devices and assets need a specific patch immediately to stay protected. 

The future of ransomware detection and security is data-driven patch management that prioritizes and quantifies adversarial risk based on threat intelligence, in-the-wild exploit trends and security analyst validation. Microsoft’s acquisition of RiskIQ, Ivanti’s acquisition of Risk Sense and their RiskSense’s Vulnerability Intelligence and Vulnerability Risk Rating and Broadcom’s acquiring Symantec are driven in part by the need that organizations have for a more data-driven approach to protecting their networks against ransomware. 

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.

Author

Topics