The “Ransomware 2021 Year End Report” written by automation platform Ivanti, Cyber Security Works, CNA (Certifying Numbering Authority), and provider of threat intelligence solutions Cyware, shows that hacker groups using ransomware continue to target unpatched vulnerabilities and weaponize Zero-Day vulnerabilities in record time to launch highly “crippling” attacks on targeted organizations.
The report also shows that hackers are expanding their reach and finding new ways to infect corporate networks to unleash high-impact attacks without being worried.
Which Key Vulnerabilities Does the Report Reveal?
Unpatched Vulnerabilities
Unpatched vulnerabilities remain the most frequently exploited attack vector by hacker groups using ransomware. According to the report, there has been 65 new ransomware-related vulnerabilities in 2021, which represents a 29% increase over the previous year and brings the total number of ransomware-related vulnerabilities to 288.
More than a third (37%) of these new vulnerabilities were active trends on the Dark Web and were exploited multiple times. At the same time, 56% of the 223 older vulnerabilities identified prior to 2021 are still being actively exploited by hacker groups using ransomware. This demonstrates that organizations need to prioritize vulnerabilities and apply patches for those that have become weapons and are being targeted by hacker groups, whether they are newly identified vulnerabilities or older ones.
Zero Day Vulnerabilities
Hacker groups using ransomware continue to find and exploit Zero-Day vulnerabilities, before patches are released. The QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116) and, most recently, Apache Log4j (CVE-2021-44228) vulnerabilities were exploited before they were even listed in the National Vulnerability Database (NVD). This dangerous trend shows that it is critical for vendors to be agile in disclosing vulnerabilities and releasing patches in priority order. It also shows that companies need to go far beyond the NVD list, and monitor vulnerability trends, exploit examples, vendor guidance and security agency alerts to prioritize which vulnerabilities to patch.
Supply Chain Networks
Hacker groups using ransomware are increasingly targeting supply chain networks to inflict maximum damage and cause chaos on a massive scale. A single supply chain infection can open multiple doors for hackers to attack distribution systems, with hundreds of networks falling victim. Last year, hackers attacked supply chain networks via third-party applications, vendor-specific products and open source libraries. For example, the REvil group targeted the CVE-2021-30116 vulnerability in the Kaseya VSA remote management service, releasing a malicious update package that infected all customers using on-premises and remote versions of the VSA platform.
What is RaaS?
Ransomware hacker groups are increasingly sharing their services as if they were legitimate SaaS (Software as a service) offerings. Ransomware as a service (RaaS) is a business model where ransomware developers offer their services or code to other hackers for a fee. RaaS exploit solutions allow hackers to rent Zero-Day exploits from developers. In addition, the RaaS dropper allows a novice hacker to distribute malware via programs that, when run, can launch a malicious payload on the victim’s computer. And the RaaS Trojan, also known as RaaS malware, allows any user with an Internet connection to obtain and deploy custom malware in the cloud, without any installation.
With 157 families of ransomware exploiting 288 vulnerabilities, the report states that ransomware hacker groups are well-positioned to launch large-scale attacks in the coming years. According to Coveware, companies pay an average of $220,298 and experience 23 days of inactivity after a ransomware attack.
