Report Reveals Rise in Ransomware Attacks
A report published today suggests the ransomware scourge may be on the cusp of entering a more lethal phase as the number of vulnerabilities associated with ransomware capable of remote code execution continued to increase in the third quarter.
The Q3 2021 Ransomware Index Spotlight Report, based on research conducted by Ivanti, Cyber Security Works and Cyware, found a 4.5% increase in the number of common vulnerabilities and exposure (CVEs) associated with ransomware and a similar 4.5% increase in actively exploited and trending vulnerabilities. There was also a 3.4% increase in ransomware families discovered and a 1.2% increase in older vulnerabilities now being used in ransomware attacks.
The analysis uncovered 12 additional vulnerabilities tied to ransomware in the third quarter, bringing the total number to 278. Out of the 12 vulnerabilities newly associated with ransomware, five are capable of remote code execution attacks and two are capable of exploiting web applications and launching denial-of-service attacks. The report also identified six new active and trending vulnerabilities, bringing the total to 140 and five new ransomware families, bringing the total to 151.
In total, 92.4% of all vulnerabilities can now be tied to ransomware one way or another, the report noted.
Srinivas Mukkamala, senior vice president of security products at Ivanti, said ransomware groups are continuing to find and leverage zero-day vulnerabilities, even before the CVEs are added to the National Vulnerability Database and patches are released. The REvil group, for example, discovered and exploited a vulnerability in Kaseya IT service management (ITSM) software as the security team at the company was actively working on a patch.
The analysis also noted ransomware groups are leveraging newer, more sophisticated techniques, such as dropper-as-a-service and trojan-as-a-service, in attacks. Dropper-as-a-service allows newbie threat actors to distribute malware through programs that, when run, can execute a malicious payload. A Trojan-as-a-service, also called malware-as-a-service, enables anyone with an Internet connection to obtain and deploy customized malware in the cloud with no installation required.
Mukkamala said that, as ransomware attacks become more sophisticated, it’s apparent the current crisis is about to deepen. More attacks will involve remote code execution using malware designed for specific targets as cybercriminal gangs begin to rely less on broad-based attacks, said Mukkamala. In effect, cybercriminals that launch ransomware attacks are becoming more efficient, he added.
The only way to effectively defend against attacks in this ‘asymmetrical war’ is to ensure DevSecOps best practices are followed at the time code is being written. The challenge, of course, is most developers today have little cybersecurity expertise, which means many more organizations will fall victim to ransomware attacks before security eventually improves. The issue is that it may be many years before DevSecOps best practices are widely adopted. As such, cybersecurity teams should expect things to get much worse before they might one day get better, said Mukkamala.
Each organization will, naturally, need to decide what security measures to put in place to thwart ransomware attacks. One thing that is certain, however, is it is now a question of when rather than if most organizations will find themselves dealing with some sort of ransomware incident.
