Ransomware Actors Take Advantage of Unpatched Vulnerabilities as the Most Typical Attack Vector

Ransomware groups are increasingly exploiting unpatched vulnerabilities in software programs and operating systems to obtain access to organization systems, and they are using zero-day vulnerabilities easily. Unpatched vulnerabilities are right now the principal attack vector in ransomware attacks, based on Ivanti’s Ransomware Year-End Spotlight report.

Ivanti joined with the next-gen SOAR and threat intelligence solutions company Cyware and Certifying Numbering Authority (CNA) Cyber Security Works in making the report, which determined 32 new ransomware variants last 2021, which went up by 26% compared to last year. There are currently 157 identified ransomware families, which are being utilized in cyberattacks on companies.

Ivanti claims 65 new vulnerabilities were found in 2021 that ransomware gangs are known to have used in attacks. This number is 29% higher year-over-year. There is a total number of 288 vulnerabilities connected to ransomware attacks. 37% of the new vulnerabilities were buzzing on the dark web and were exploited in a number of attacks, while 56% of the 223 older vulnerabilities remain consistently taken advantage of by ransomware groups.

Ransomware gangs and the first access brokers they usually use are seeking zero-day vulnerabilities to be employed in their attacks even before CVE codes are designated to the vulnerabilities and are included in the National Vulnerability Database (NVD). Examples are the following: Sonic Wall (CVE-2021-20016) QNAP (CVE-2021-28799), Apache Log4j (CVE-2021-44228), and Kaseya (CVE-2021-30116) vulnerabilities.

The report demonstrates the importance of using patches immediately and the necessity to prioritize patching to make certain that weaponized vulnerabilities are patched first of all. Although it is vital to keep an eye on vulnerabilities as they are put in the NVD, security teams must also subscribe to get threat intelligence news and security advisories from security bureaus and need to be looking out for exploitation occurrences and vulnerability developments.

Though ransomware attacks on businesses are prevalent, ransomware groups are in search of big paydays and are more and more attacking supply chain networks and managed service providers in order to cause problems on as many firms as possible. A supply chain attack or an attack on a managed service provider enables a ransomware group to carry out ransomware attacks on many or even hundreds of victim sites, much like in the REvil’s ransomware attack on the Kaseya VSA remote management service.

Ransomware gangs are furthermore increasingly working with others in these means:

  • ransomware-as-a-service (RaaS), where affiliates are employed to perform many attacks for a percentage of the ransom profits
  • exploit-as-a-service, where exploits for identified vulnerabilities are leased from coders
  • dropper-as-a-service operations, where ransomware groups pay malware operators to install malicious payloads on unsecured devices.

Ransomware gangs are more advanced today, and their attacks are more effective. These attackers are using automated tool kits to take advantage of vulnerabilities and go deeper into breached networks, explained Srinivas Mukkamala, Ivanti’s Senior VP of Security Products. Institutions should be extra attentive and patch weaponized vulnerabilities right away. This calls for utilizing a combo of risk-based vulnerability prioritization and computerized patch intelligence to discover and prioritize vulnerability weaknesses and then quicken remediation.