Drawn from the undisclosed data of three cybersecurity firms, the threat report unearths some alarming shortcomings even in established threat databases

In a ransomware report for Q2 and Q3 2022 based on the threat intelligence data of three cybersecurity firms, the incidence of ransomware is concluded to have grown by 466% since 2019 and such attacks have been used increasingly as a precursor to physical war.

Within the collective research data, ransomware groups are shown to be growing in volume and sophistication, including 10 new ransomware families (Black Basta, Hive, BianLian, BlueSky, Play, Deadbolt, H0lyGh0st, Lorenz, Maui and NamPoHyu), 35 vulnerabilities and 159 trending active exploits found in the period of study.

With 101 CVEs to phish, ransomware attackers in the data were increasingly relying on spear phishing techniques to lure unsuspecting victims.

Other findings
In analyzing and mapping 323 current ransomware vulnerabilities to the MITRE ATT&CK framework, the researchers found 57 that could lead to a complete system takeover starting from initial access to exfiltration.

Also, two new ransomware vulnerabilities (CVE-2021-40539 and CVE-2022-26134) were exploited by prolific ransomware families such as AvosLocker and Cerber either before or on the same day they were added to the National Vulnerability Database (NVD). These statistics emphasize that if organizations rely solely on NVD disclosure to patch vulnerabilities, they could still be susceptible to attacks. Also, during the period of study:

    • CISA’s Known Exploited Vulnerabilities (KEV) catalog, which provides US public sector firms and government agencies with a list of vulnerabilities to patch within a deadline, is missing 124 ransomware vulnerabilities.
    • 18 vulnerabilities tied to ransomware had not been detected by popular malware scanners.
    • The three worst-hit sectors were healthcare (47.4%), energy (31.6%) and critical manufacturing (21.1%).
    • Malware with cross-platform capabilities soared high in demand as ransomware operators could easily target multiple operating systems via a single codebase.
    • There were a significant number of attacks on third-party providers of security solutions and software code libraries, resulting in a plethora of possible victims. Looking ahead, organizations can expect to see new ransomware gangs emerge as prominent groups like Conti and DarkSide supposedly shut down. New gangs will likely inherit and repurpose the defunct threat groups’ source code and exploit methods.

Research comments
Spokespersons for the three firms that created the joint report expressed their views about the conclusions drawn from their own research:

Srinivas Mukkamala, Chief Product Officer, Ivanti, said: “IT and security teams must urgently adopt a risk-based approach to vulnerability management to better defend against ransomware and other threats. This includes leveraging automation technologies that can correlate data from diverse sources (i.e., network scanners, internal and external vulnerability databases and penetration tests), measure risk, provide early warning of weaponization, predict attacks and prioritize remediation activities.

Aaron Sandeen, CEO, Cyber Security Works, said: “It’s a scary prospect if the scanners that you depend on are not identifying the vulnerabilities exposed. Organizations need to adopt an attack surface management solution that can discover exposures across all organizational assets.”

Anuj Goel, co-founder and CEO, Cyware, said: “Even though post-incident recovery strategies have improved over time, the old adage of prevention being better than cure still rings true. In order to correctly analyze the threat context and effectively prioritize proactive mitigation actions, vulnerability intelligence for SecOps must be operationalized through resilient orchestration of security processes to ensure the integrity of vulnerable assets.”