Research Study Also Found that Ransomware Vulnerabilities have Quadrupled with Many Linked to APT Groups
SUNNYVALE, Calif. – Feb 11, 2021 – RiskSense®, Inc., pioneering risk-based vulnerability management and prioritization, today announced the results of a new RiskSense Spotlight Report “Ransomware Through the Lens of Threat and Vulnerability Management” conducted with Cyber Security Works (CSW). Among the key findings, researchers uncovered that eight nation states linked to advanced persistent threat (APT) groups are incorporating ransomware as part of their arsenal to launch offensive cyber attacks.
According to research firm Gartner, twenty-seven percent of malware incidents reported in 2020 can be attributed to ransomware… which can have a bigger impact on an organization than a data breach.1
Among the report’s key findings total vulnerabilities associated with ransomware quadrupled from 57 in our 2019 research to 223 in 2020, while the number of ransomware families mushroomed to 125 from 19 over the same period. Meanwhile, old is still gold when it comes to ransomware. Nearly all (96%) of the common vulnerability exposures (CVEs) linked to ransomware were reported to the US National Vulnerability Database (NVD) before 2020. Software-as-a-service (SaaS) applications emerged as a new target for ransomware, and had the highest count of vulnerabilities that were seen trending with active exploits. Finally, more than 15 active families are being offered as ransomware-as-service, enabling just about anyone to launch ransomware attacks without coding or security expertise.
“Over the past year, ransomware has continued to evolve with concerning new developments including its utilization by nation state actors and the growing availability of ransomware-as-a service,” said Srinivas Mukkamala, CEO of RiskSense. “From a defensive perspective these findings, especially the continued use of older and lower criticality vulnerabilities by ransomware, illustrate the need for an increased threat-context and risk-based approach to vulnerability management. Knowing which CVEs are actively being exploited, have dangerous capabilities and are being used by ransomware must be part of the decision making process for prioritizing remediation and patching.”
Following are some of the key insights from the report:
CVEs nearly quadrupled since last year – In 2020 ransomware attackers had 223 vulnerable exposure points to breach company networks.
Threat actors continue to leverage older vulnerabilities – 96% of the CVEs tracked, 213 out of 223, were reported in the US National Vulnerability Database (NVD) before 2020. The oldest vulnerability, CVE-2007-1036, dates from 2007 and is associated with the Crypsam (SamSam) ransomware family.
Ransomware families multiplied – 125 ransomware families were identified using a mix of the 223 vulnerabilities. With older families like Cobralocker (2012), Gimemo (2012) and Kovter (2012) not retiring, and some like CryptoMix expanding their capabilities and sophistication. Meanwhile, upstarts like Ryuk are bringing ransomware to the masses using a ransomware-as-a-service delivery model.
Attackers are diversifying their targets – moving up from server operating systems to weaknesses in Web and Application frameworks and applications themselves. SaaS as a new category had the highest count of vulnerabilities that were seen trending with active exploits among ransomware families.
Focusing only on high CVSS vulnerabilities is a mistake – Patching CVSS v2 vulnerabilities rated as “High Risk” would still leave one third (29%) of a businesses’ attack surface unprotected and exposed to ransomware.
Complete findings including details on the APT Groups using ransomware are available in the report which can be accessed here.
The RiskSense Spotlight Report is based on data gathered from a variety of sources including RiskSense & CSW’s proprietary data, publicly available threat databases, as well as RiskSense & CSW threat researchers and penetration testing teams. It focuses on vulnerabilities that came into existence between 2010 and 2020, and tracked their trending dates and associations with ransomware attacks and families, unless otherwise specified.
CSW is a cybersecurity services company focused on attack surface management and penetration testing as a service. Our innovation in vulnerability and exploit research led us to discover 45+ zero days in popular products such as Oracle, D-Link, WSO2, Thembay, Zoho, etc., among others. We became a CVE Numbering Authority to enable thousands of bug bounty hunters and play a critical role in the global effort of vulnerability management. As an acknowledged leader in Vulnerability research and analysis CSW is ahead of the game helping organizations world-wide to secure their business from ever-evolving threats. For more information visit www.cybersecurityworks.com or followus on LinkedIn and Twitter.