Ransomware Attacks Are Getting More Complex And Even Harder To Prevent

Ransomware attackers search for and exploit known common vulnerabilities and exposures (CVEs) quickly, launching attacks faster than vendor teams can fix. Unfortunately, ransomware attackers also make attacks more complex, costly, and difficult to identify and stop, acting on the weaknesses of potential targets faster than businesses can respond.

Two recent research studies – Ivanti’s latest ransomware report, conducted with Cyber ​​Security Works and Cyware, and a second study conducted by Forrester Consulting on behalf of Cyware – show that there is a growing gap between How quickly businesses can identify a ransomware threat and how quickly a cyberattack. . Both studies provide a stark assessment of how late companies are in identifying and stopping ransomware attacks.

Ransomware attackers are expanding their arsenal of attacks at an increasing rate, rapidly adopting new technologies. The Q3 2021 Ransomware Index Update identified ransomware groups expanding their attack arsenal with 12 new vulnerability associations in Q3, twice the previous quarter. Newer and more sophisticated attack techniques, including Trojan-as-a-service and dropper-as-a-service (DaaS), are being adopted. Additionally, over the past year, more ransomware codes have been leaked online as more advanced cybercriminals seek to recruit less advanced gangs as part of their ransomware networks.

Ransomware continues to be one of the fastest-growing cyber-attack strategies in 2021

Ransomware continues to be one of the fastest-growing cyber-attack strategies in 2021. The number of known vulnerabilities associated with ransomware fell from 266 to 278 in the third quarter of 2021 alone. There was also a 4.5% increase in trending vulnerabilities actively exploited to launch attacks, bringing the total to 140. Additionally, Ivanti’s index update uncovered five new ransomware families. in the third quarter, contributing to the total number of ransomware families reaching 151 worldwide.

Ransomware groups are mining known CVEs to find and capitalize on zero-day vulnerabilities before the CVEs are added to the National Vulnerability Database (NVD) and patches are released: 258 CVEs created before 2021 are now affiliated with ransomware based on recent attack patterns. The high number of legacy CVEs further illustrates how aggressive ransomware attackers are at capitalizing on past CVE weaknesses. That’s 92.4% of all vulnerabilities track being tied to ransomware today.

Threat intelligence is hard to find

According to the Forrester Opportunity Snapshot study, commissioned by Cyware, 71% of security managers say their teams need access to threat intelligence, security operations data, incident responses, and vulnerability data. However, 65% today find it difficult to provide security teams with consistent access to data. Sixty-four percent cannot share threat intelligence data cross-functionally today, limiting the number of shared Security Operations Centers (SOCs), incident response, and threat intelligence between departments. The following graph illustrates the backlog of organizations in providing real-time threat intelligence data. The knowledge gap between companies and ransomware attackers is widening, accelerated by the speed with which attackers capitalize on known CVE weaknesses.

Since companies do not have access to real-time threat intelligence data, ransomware attackers appear to be demanding more ransom. Accelerate more complex and difficult attacks. The US Treasury’s Financial Crimes Enforcement Network, or Finsen, released a report in June 2021. In which it was found. Key ransomware-relat suspicious activity reports (SARs) have been report in the first six months of 2021. Suspicious activity reached 590 million, which is more than $ 416. Millions for all. 2020. FinCEN also found this. That $ 5.2 billion bitcoin has been given to the top 10 ransomware gangs in the last three years. The average ransom is now $ 45 million, with Bitcoin being the preferred payment currency.

Attacking the weak spots in CVEs

 The Q3 2021 Ransomware Index Spotlight report illustrates how ransomware attackers study long-standing CVEs to find existing system security gaps to exploit, often undetected by under-protected companies. An example is how HelloKitty ransomware uses CVE-2019-7481, a CVE with a Common Vulnerability Scoring System (CVSS) score of 7.5. Additionally, the Index notes that the Cring ransomware family has added two vulnerabilities (CVE-2009-3960 and CVE-2010-2861) that have been around for over a decade. Patches are available, but businesses remain vulnerable to ransomware attacks because they have yet to patch legacy applications and operating systems.

For example, a successful ransomware attack took place on a ColdFusion server recently running an outdated version of Microsoft Windows. The following compares the timelines of two CVEs, illustrating how the Cring ransomware has attacked each over a decade since each was first reported:

In the third quarter of 2021, there were 278 CVE or ransomware-related vulnerabilities. Which leads to a rapid increase in risk. In addition, 12 vulnerabilities now belong to seven types of ransomware. One of the new vulnerabilities identify this quarter is define in CVE-2021-30116. The second quarter follows zero-day exploitation. Zero-day insecurity in the Kaseya Unitrends service was exploit in a large chain attack. The Ravel Group delivered on July 3 this year.

On July 7, 2021, Kaseya acknowledged the attack

On July 7, 2021, Kaseya acknowledge the attack and the vulnerability was add to the NVD on July 9. A fix for the same was released on July 11. Unfortunately, vulnerabilities were exploit by Ravil ransomware. Although Kaseya’s security team was preparing to release a patch for their system. (After learning about vulnerabilities in April 2021). The following table provides an overview of the 12 new vulnerabilities associated with CVE ranked by CVSS score. Organizations that know this. That they have vulnerabilities related to this CVE. They need to speed up their efforts with vulnerability data, threat intelligence, incident response and security operations data.

Conclusion

Ransomware invaders are rapidly adopting new technology in their arsenals. And launching attacks is changing the balance of power. As a result, enterprises need a greater sense of urgency to standardize on threat intelligence, patch management, and most of all, zero-trust security if they’re going to stand a chance of shutting down ransomware attacks.

Ravil’s Kaseya attack is zero days before it is release by the National Vulnerability Database (NVD). Ransomware validates the persistent tendency of groups to exploit vulnerabilities. This attack also underscores the need for agile patch cadence. Who addresses insecurities as soon as they are identifi. Instead of waiting for the often slow and often slow deployment of patch management in device inventory.