One report notes a 7.5% increase in APT groups associated with ransomware, plus “cluttered threat intelligence” contributing to vulnerabilities.
In a Q1 2022 ransomware report based on data gathered from a variety of unspecified sources, including proprietary data, publicly available threat databases/threat researchers and penetration testing teams, a 7.6% increase in the number of vulnerabilities tied to ransomware—with the pro-Russia Conti ransomware group exploiting 19 of 22 new vulnerabilities—has been observed in the data analyzed.
The report also showed a 7.5% increase in APT groups associated with ransomware; a 6.8% increase in actively exploited and trending vulnerabilities; and a 2.5% increase in ransomware families.
Analyses of the data revealed that three new APT groups (Exotic Lily, APT 35, DEV-0401) had started using ransomware to attack their targets; 10 new active and trending vulnerabilities became associated with ransomware (bringing the total to 157) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) had become active in Q1 2022.
Other findings
The report also revealed that ransomware operators had continued to weaponize vulnerabilities in Q1 faster than ever, to create maximum disruption and impact, resulting in vulnerabilities being exploited within eight days of patches being released by vendors. This means that any minor laxity in security measures by third party vendors and organizations were sufficient for ransomware groups to enter and infiltrate vulnerable networks in Q1. Also:
- 3.5% or more of ransomware vulnerabilities were being missed in the period of study, exposing organizations to cyber risks. There were 11 ransomware vulnerabilities that scanners were not detecting where five had been deemed “critical and associated with notorious ransomware gangs” such as Ryuk, Petya and Locky.”
- Of 56 vendors in the study that supplied healthcare applications, medical devices and hardware used in hospitals and healthcare center, 624 unique vulnerabilities in their products. Forty of those vulnerabilities had had public exploits and two vulnerabilities (CVE-2020-0601 and CVE-2021-34527) were associated with four ransomware operators (BigBossHorse, Cerber, Conti and Vice Society). This could indicate that the healthcare industry may be targeted more aggressively by threat groups in the coming months
- Gaps existed within the National Vulnerability Database (NVD), the Common Attack Pattern Enumeration and Classification (CAPEC) list and the Known Exploited Vulnerabilities (KEVs) catalog.
- NVD was missing Common Weakness Enumerations (CWEs) for 61 vulnerabilities. Also, on average, a ransomware vulnerability was added to the NVD a week after being disclosed by a vendor.
- The CAPEC list was missing CWEs for 87 vulnerabilities.
- 169 vulnerabilities with ransomware associations had not yet been added to the CISA KEV list. Hackers worldwide were actively targeting 100 of these vulnerabilities, scouting organizations for one unpatched instance to exploit.
- Threat actors were increasingly targeting flaws in cyber hygiene, including legacy vulnerability management processes in Q1 2022. Many security and IT teams in the data were struggling to identify the real-world risks that vulnerabilities posed and ended up improperly prioritizing vulnerabilities for remediation.
- One of the major concerns in the report was the “lack of complete threat visibility for security teams owing to cluttered threat intelligence available across sources.” The report suggests that security teams tie their patch and vulnerability response to a “centralized threat intelligence management workflow that drives complete visibility into the shape-shifting ransomware attack vectors through multi-source intelligence ingestion, correlation and security actioning.”
According to Srinivas Mukkamala, Senior Vice President & General Manager of Security Products, Ivanti, which commissioned the survey with Cyber Security Works and Cyware: “To protect organizations against cyberattacks, security and IT teams need to adopt a risk-based approach to vulnerability management. This requires AI-based technology that can identify enterprise exposures and active threats, provide early warnings of vulnerability weaponization, predict attacks and prioritize remediation activities.”