Unpatched Vulnerabilities are the Most Common Attack Vector Exploited by Ransomware Actors

Share this article on:

Ransomware gangs are increasingly targeting unpatched vulnerabilities in software and operating systems to gain access to business networks, and they are weaponizing zero-day vulnerabilities at record speed. Unpatched vulnerabilities are now the primary attack vector in ransomware attacks, according to Ivanti’s Ransomware End of Year Spotlight report.

Ivanti partnered with Certifying Numbering Authority (CNA) Cyber Security Works and the next-gen SOAR and threat intelligence solution provider Cyware for its report, which identified 32 new ransomware variants in 2021 – An increase of 26% from the previous year. There are know 157 known ransomware families that are being used in cyberattacks on businesses.

Ivanti says 65 new vulnerabilities were identified in 2021 that are known to have been exploited by ransomware gangs – an increase of 29% year-over-year – bringing the total number of vulnerabilities tied to ransomware attacks to 288. 37% of the new vulnerabilities were trending on the dark web and have been exploited in multiple attacks, and 56% of the 223 older vulnerabilities continue to be routinely exploited by ransomware gangs.

Ransomware gangs and the initial access brokers they often use are searching for and leveraging zero-day vulnerabilities, oftentimes exploiting them in their attacks before the vulnerabilities have been issued CVE codes and have been added to the National Vulnerability Database (NVD). This was the case with the QNAP (CVE-2021-28799), Sonic Wall (CVE-2021-20016), Kaseya (CVE-2021-30116), and Apache Log4j (CVE-2021-44228) vulnerabilities.

The report highlights the importance of applying patches promptly but also emphasizes the need to prioritize patching to ensure vulnerabilities that have been weaponized are patched first. While it is important to keep track of vulnerabilities as they are added to the NVD, security teams should also sign up to receive threat intelligence feeds and security advisories from security agencies and should be on the lookout for exploitation instances and vulnerability trends.

While ransomware attacks on individual businesses are common, ransomware gangs are looking for major paydays and are increasingly targeting managed service providers and supply chain networks to inflict damage on as many businesses as possible. A supply chain attack or an attack on a managed service provider allows a ransomware gang to conduct ransomware attacks on dozens or even hundreds of victim networks, as was the case with REvil’s ransomware attack on the Kaseya VSA remote management service.

Ransomware gangs are also increasingly collaborating with others, either through ransomware-as-a-service (RaaS), where affiliates are used to conduct large numbers of attacks for a cut of the ransom payments, exploit-as-a-service, where exploits for known vulnerabilities are rented from developers, and dropper-as-a-service operations, where ransomware gangs pay malware operators to drop malicious payloads on infected devices.

“Ransomware groups are becoming more sophisticated, and their attacks more impactful. These threat actors are increasingly leveraging automated tool kits to exploit vulnerabilities and penetrate deeper into compromised networks,” said Srinivas Mukkamala, Senior Vice President of Security Products at Ivanti. “Organizations need to be extra vigilant and patch weaponized vulnerabilities without delays. This requires leveraging a combination of risk-based vulnerability prioritization and automated patch intelligence to identify and prioritize vulnerability weaknesses and then accelerate remediation.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.

Share This Post On