Ransomware attackers are probing known common vulnerabilities and exposures (CVEs) for weaknesses and quickly capitalizing on them, launching attacks faster than vendor teams can patch them. Unfortunately, ransomware attackers are also making attacks more complex, costly, and challenging to identify and stop, acting on potential targets’ weaknesses faster than enterprises can react.
Two recent research studies — Ivanti’s latest ransomware report, conducted with Cyber Security Works and Cyware, and a second study by Forrester Consulting on behalf of Cyware — show there’s a widening gap between how quickly enterprises can identify a ransomware threat versus the quickness of a cyberattack. Both studies provide a stark assessment of how far behind enterprises are on identifying and stopping ransomware attacks.
Ransomware attackers are expanding their attack arsenal at an increasing rate, adopting new technologies quickly. The Ransomware Index Update Q3 2021 identified ransomware groups expanding their attack arsenal with 12 new vulnerability associations in Q3, twice the previous quarter. Newer, more sophisticated attack techniques, including Trojan-as-a-service and dropper-as-a-service (DaaS), are being adopted. Additionally, over the past year, more ransomware code has been leaked online as more advanced cybercriminals look to recruit less advanced gangs as part of their ransomware networks.
Ransomware continues to be among the fastest-growing cyberattack strategies of 2021. The number of known vulnerabilities associated with ransomware has increased from 266 to 278 in Q3 of 2021 alone. There’s also been a 4.5% increase in trending vulnerabilities actively exploited to launch attacks, taking the total count to 140. Furthermore, Ivanti’s Index Update discovered five new ransomware families in Q3, contributing to the total number of ransomware families globally reaching 151.
Ransomware groups are mining known CVEs to find and capitalize on zero-day vulnerabilities before the CVEs are added to the National Vulnerability Database (NVD) and patches are released: 258 CVEs created before 2021 are now affiliated with ransomware based on recent attack patterns. The high number of legacy CVEs further illustrates how aggressive ransomware attackers are at capitalizing on past CVE weaknesses. That’s 92.4% of all vulnerabilities tracked being tied to ransomware today.
Threat intelligence is hard to find
Seventy-one percent of security leaders say their teams need access to threat intelligence, security operations data, incident response, and vulnerability data, according to Forrester’s Opportunity Snapshot study, commissioned by Cyware. However, 65% are finding it a challenge today to provide security teams with cohesive data access. Sixty-four percent can’t share threat intelligence data cross-functionally today, limiting the amount of security operations center (SOC), incident response, and threat intelligence shared across departments. The following graphic illustrates how far behind enterprises are in providing real-time threat intelligence data. The knowledge gap between enterprises and ransomware attackers is growing, accelerated by how quickly attackers capitalize on known CVE weaknesses.
Image Credit: Cyware and Forrester
Enterprises’ lack of access to real-time threat intelligence data leads ransomware attackers to fast-track more complex, challenging attacks while demanding higher ransoms. The U.S. Treasury’s Financial Crimes Enforcement Network, or FinCEN, released a report in June 2021 that found suspicious activity reported in ransomware-related suspicious activity reports (SARs) during the first six months of 2021 reached $590 million, exceeding the $416 million reported for all of 2020. FinCEN also found that $5.2 billion in Bitcoin has been paid to the 10 leading ransomware gangs over the past three years. The average ransom is now $45 million, with Bitcoin being the preferred payment currency.
Attacking the weak spots in CVEs
The Q3 2021 Ransomware Index Spotlight Report illustrates how ransomware attackers study long-standing CVEs to find legacy system gaps in security to exploit, often undetected by underprotected enterprises. An example is how HelloKitty ransomware uses CVE-2019-7481, a CVE with a Common Vulnerability Scoring System (CVSS) score of 7.5. In addition, the Index notes the Cring ransomware family has added two vulnerabilities (CVE-2009-3960 and CVE-2010-2861) that have been in existence for over a decade. Patches are available, yet enterprises remain vulnerable to ransomware attacks because they haven’t patched legacy applications and operating systems yet.
For example, a successful ransomware attack took place on a ColdFusion server recently running an outdated version of Microsoft Windows. The following compares the timelines of two CVEs, illustrating how Cring ransomware attacked each over a decade since each was initially reported:
Image Credit: Ivanti
As of Q3, 2021, there are 278 CVEs or vulnerabilities associated with ransomware, quantifying the threat’s rapid growth. Additionally, 12 vulnerabilities are now associated with seven ransomware strains. One of the new vulnerabilities identified this quarter follows Q2’s zero-day exploit defined in CVE-2021-30116, a zero-day vulnerability in Kaseya Unitrends Service exploited in the massive supply-chain attack on July 3 this year by the REvil group.
On July 7, 2021, Kaseya acknowledged the attack, and the vulnerability was added to the NVD on July 9. A patch for the same was released on July 11. Unfortunately, the vulnerability was exploited by REvil ransomware even as the security team at Kaseya was preparing to release a patch for their systems (after learning about the vulnerability back in April 2021). The following table provides insights into the 12 newly associated vulnerabilities by CVE ranked by CVSS Score. Enterprises who know they have vulnerabilities related to these CVEs need to accelerate their efforts in vulnerability data, threat intelligence, incident response, and security operations data.
Image Credit: Ivanti
The balance of power is shifting to ransomware attackers due to their quicker adoption of new technologies into their arsenals and launch attacks. As a result, enterprises need a greater sense of urgency to standardize on threat intelligence, patch management, and most of all, zero-trust security if they’re going to stand a chance of shutting down ransomware attacks.
The Kaseya attack by REvil validates the continuing trend of ransomware groups exploiting zero-day vulnerabilities even before the National Vulnerability Database (NVD) publishes them. The attack also highlights the need for an agile patching cadence that addresses vulnerabilities as soon as they are identified, rather than waiting for an inventory-driven and often slow rollout of patch management across inventories of devices.