Ransomware Attacks Are Getting More Complex And Even Harder To Prevent

Ransomware attackers search for and exploit known common vulnerabilities and exposures (CVEs) quickly, launching attacks faster than vendor teams can fix. Unfortunately, ransomware attackers also make attacks more complex, costly, and difficult to identify and stop, acting on the weaknesses of potential targets faster than businesses can respond.

Two recent research studies – Ivanti’s latest ransomware report, conducted with Cyber ​​Security Works and Cyware, and a second study conducted by Forrester Consulting on behalf of Cyware – show that there is a growing gap between How quickly businesses can identify a ransomware threat and how quickly a cyberattack. . Both studies provide a stark assessment of how late companies are in identifying and stopping ransomware attacks.

Ransomware attackers are expanding their arsenal of attacks at an increasing rate, rapidly adopting new technologies. The Q3 2021 Ransomware Index Update identified ransomware groups expanding their attack arsenal with 12 new vulnerability associations in Q3, twice the previous quarter. Newer and more sophisticated attack techniques, including Trojan-as-a-service and dropper-as-a-service (DaaS), are being adopted. Additionally, over the past year, more ransomware codes have been leaked online as more advanced cybercriminals seek to recruit less advanced gangs as part of their ransomware networks.

Ransomware continues to be one of the fastest-growing cyber-attack strategies in 2021. The number of known vulnerabilities associated with ransomware fell from 266 to 278 in the third quarter of 2021 alone. There was also a 4.5% increase in trending vulnerabilities actively exploited to launch attacks, bringing the total to 140. Additionally, Ivanti’s index update uncovered five new ransomware families. in the third quarter, contributing to the total number of ransomware families reaching 151 worldwide.

Ransomware groups are mining known CVEs to find and capitalize on zero-day vulnerabilities before the CVEs are added to the National Vulnerability Database (NVD) and patches are released: 258 CVEs created before 2021 are now affiliated with ransomware based on recent attack patterns. The high number of legacy CVEs further illustrates how aggressive ransomware attackers are at capitalizing on past CVE weaknesses. That’s 92.4% of all vulnerabilities tracked being tied to ransomware today.

Threat intelligence is hard to find

According to the Forrester Opportunity Snapshot study, commissioned by Cyware, 71% of security managers say their teams need access to threat intelligence, security operations data, incident responses, and vulnerability data. However, 65% today find it difficult to provide security teams with consistent access to data. Sixty-four percent cannot share threat intelligence data cross-functionally today, limiting the number of shared Security Operations Centers (SOCs), incident response, and threat intelligence between departments. The following graph illustrates the backlog of organizations in providing real-time threat intelligence data. The knowledge gap between companies and ransomware attackers is widening, accelerated by the speed with which attackers capitalize on known CVE weaknesses.

Lack of access by companies to real-time threat intelligence data leads ransomware attackers to accelerate more complex and difficult attacks while demanding higher ransoms. The U.S. Treasury’s Financial Crimes Enforcement Network, or FinCEN, released a report in June 2021 which found that suspicious activity reported in ransomware-related Suspicious Activity Reports (SARs) in the first six months of 2021 reached $ 590 million, exceeding the reported $ 416 million for all. of 2020. FinCEN also found that $ 5.2 billion in Bitcoin has been paid to the top 10 ransomware gangs over the past three years. The average ransom is now $ 45 million, with Bitcoin being the preferred payment currency.

Attacking the weak spots in CVEs

 The Q3 2021 Ransomware Index Spotlight report illustrates how ransomware attackers study long-standing CVEs to find existing system security gaps to exploit, often undetected by under-protected companies. An example is how HelloKitty ransomware uses CVE-2019-7481, a CVE with a Common Vulnerability Scoring System (CVSS) score of 7.5. Additionally, the Index notes that the Cring ransomware family has added two vulnerabilities (CVE-2009-3960 and CVE-2010-2861) that have been around for over a decade. Patches are available, but businesses remain vulnerable to ransomware attacks because they have yet to patch legacy applications and operating systems.

For example, a successful ransomware attack took place on a ColdFusion server recently running an outdated version of Microsoft Windows. The following compares the timelines of two CVEs, illustrating how the Cring ransomware has attacked each over a decade since each was first reported:

In the third quarter of 2021, there were 278 CVEs or vulnerabilities associated with ransomware, quantifying the rapid growth of the threat. In addition, 12 vulnerabilities are now associated with seven strains of ransomware. One of the new vulnerabilities identified this quarter follows the second quarter zero-day exploit defined in CVE-2021-30116, a zero-day vulnerability in Kaseya Unitrends Service exploited in the massive chain attack. supply on July 3 of this year by the Ravil group.

On July 7, 2021, Kaseya acknowledged the attack, and the vulnerability was added to the NVD on July 9. A fix for the same was released on July 11. Unfortunately, the vulnerability was exploited by the REvil ransomware even as Kaseya’s security team was preparing to release a patch for their systems (after learning about the vulnerability in April 2021). The following table provides an overview of the 12 new vulnerabilities associated with CVE ranked by CVSS score. Organizations that know they have vulnerabilities related to these CVEs need to accelerate their efforts with vulnerability data, threat intelligence, incident response, and security operations data.


 The balance of power is shifting to ransomware attackers due to their quicker adoption of new technologies into their arsenals and launch attacks. As a result, enterprises need a greater sense of urgency to standardize on threat intelligence, patch management, and most of all, zero-trust security if they’re going to stand a chance of shutting down ransomware attacks.

Ravil’s Kaseya attack validates the persistent tendency of ransomware groups to exploit zero-day vulnerabilities even before the National Vulnerability Database (NVD) releases them. The attack also highlights the need for an agile patch cadence that resolves vulnerabilities as soon as they are identified, rather than waiting for an often slow and often slow deployment of patch management to device inventories.