Ransomware attackers use a few different tactics to initially breach an organization. One method is through phishing emails. Another is through brute-force attacks. But an always popular trick is to exploit a known security vulnerability. A report released Tuesday by security firm Ivanti looks at the rise in vulnerabilities exploited by ransomware attacks.
As detailed in its “Ransomware Index Update Q3 2021,” Ivanti found that the number of security vulnerabilities associated with ransomware increased from 266 to 278 in the third quarter of 2021.
The number of trending vulnerabilities being actively exploited in attacks rose by 4.5% to 140. And the total volume of vulnerabilities identified before 2021 associated with ransomware is currently 258, which represents more than 92% of all security flaws tied to ransomware.
Organizations are continually being advised to practice good patch management and apply patches to known and critical vulnerabilities. But even that process can’t stop all exploits. In its research, Ivanti discovered that ransomware gangs continue to leverage zero-day vulnerabilities even before they’re added to the National Vulnerability Database (NVD) and patches are publicly released by vendors.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
Ransomware groups took advantage of some nasty vulnerabilities last quarter with exploits seen in the wild. Before being fixed by Microsoft, the PrintNightmare flaw could have allowed an attacker to take over a compromised computer. The PetitPotam attack against Windows domain controllers could have let hackers steal NT LAN Manager credentials and certificates. And the ProxyShell flaw in Microsoft Exchange could also have been exploited for ransomware attacks.
In terms of others vulnerabilities, the Cring ransomware group staged attacks that exploited security holes in Adobe ColdFusion. But the associated versions of ColdFusion were more than 10 years old, which means that Adobe no longer supported them and therefore had no patches for them, according to security firm Sophos.
The number of ransomware families increased by five in the third quarter, making for a total of 151, according to the report. And the criminals who deploy these ransomware strains are taking advantage of more advanced tactics to compromise their victims. One method known as Dropper-as-a-service lets criminals install malware through special programs that trigger the malicious payload on a targeted system. Another method called Trojan-as-a-service allows anyone to rent customized malware services.
To help government agencies, and by extension the private sector, patch critical vulnerabilities, the Cybersecurity Infrastructure Security Agency (CISA) recently set up a database highlighting amost 300 known security flaws with details on how and when to patch them.
SEE: Hiring Kit: Cybersecurity Engineer (TechRepublic Premium)
In its analysis of the database, Ivanti said it found 52 vulnerabilities associated with 91 different ransomware families, while one specific flaw, CVE-2018-4878, was linked to 41 families. Microsoft is the most exploited vendor on the list with 27 different CVEs. Further, 35 of the vulnerabilities are associated with Advanced Persistent Threat (APT) groups. CISA has ordered all federal agencies to patch 20 of the security flaws by the end of 2021 and the rest by May 2022.
To help your organization better handle patch management and protect itself from ransomware, Srinivas Mukkamala, Ivanti’s senior VP of security products, offers several tips:
- Focus on the most critical security vulnerabilities susceptible to ransomware. Trying to patch every security hole is impossible as there are more than 200,000 vulnerabilities to date. Instead, put each threat in the proper context. Use adaptive intelligence to gauge your exposure to the security flaws being actively exploited, learn if they’re tied to ransomware, and determine how to quickly patch them.
- Adopt good cyber hygiene. Ransomware is ultimately a cyber hygiene problem. To combat it, you need a zero trust strategy to protect your sensitive data from breaches and unauthorized access. Zero trust offers an ongoing way to evaluate your devices, assets, endpoints and network to allow for the proper access.
- Set up a recovery plan. In the event of a ransomware attack, you can’t just restore data from a backup onto corrupted servers and systems. You may need to reimage hundreds or thousands of systems before you can restore your files. And that process takes a lot of time and testing. Without an effective recovery plan, you’re more likely to find that you need to pay the ransom in order to get your data back.