Ransomware attackers are finding new ways to exploit organizations’ security weaknesses by weaponizing old vulnerabilities.

Combining long-standing ransomware attack tools with the latest AI and machine learning technologies, organized crime syndicates and advanced persistent threat (APT) groups continue to out-innovate enterprises.

A new report from Cyber Security Works (CSW), Ivanti, Cyware and Securin reveals ransomware’s devastating toll on organizations globally in 2022. And 76% of the vulnerabilities currently being exploited by ransomware groups were first discovered between 2010 and 2019.

Ransomware topping agenda for CISOs, world leaders alike

The 2023 Spotlight Report titled “Ransomware Through the Lens of Threat and Vulnerability Management” identified 56 new vulnerabilities associated with ransomware threats in 2022, reaching a total of 344 — a 19% increase over the 288 that had been discovered as of 2021. It also found that out of 264 old vulnerabilities, 208 have exploits that are publicly available. 

There are 160,344 vulnerabilities listed in the National Vulnerability Database (NVD), of which 3.3% (5,330) belong to the most dangerous exploit types — remote code execution (RCE) and privilege escalation (PE). Of the 5,330 weaponized vulnerabilities, 344 are associated with 217 ransomware families and 50 advanced persistent threat (APT) groups, making them extremely dangerous.

Ransomware attackers actively search the dark web for 180 vulnerabilities associated with ransomware. In the last quarter of 2022, these groups used ransomware to exploit 21 vulnerabilities. Source: 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management

“Ransomware is top of mind for every organization, whether in the private or public sector,” said Srinivas Mukkamala, chief product officer at Ivanti. “Combating ransomware has been placed at the top of the agenda for world leaders because of the rising toll being placed on organizations, communities and individuals. It is imperative that all organizations truly understand their attack surface and provide layered security to their organization so they can be resilient in the face of increasing attacks.”

What ransomware attackers know 

Well-funded organized-crime and APT groups dedicate members of their teams to studying attack patterns and old vulnerabilities they can target undetected. The 2023 Spotlight Report finds that ransomware attackers routinely fly under popular vulnerability scanners’ radar, including those of Nessus, Nexpose and Qualys. Attackers choose which older vulnerabilities to attack based on how well they can avoid detection. 

The study identified 20 vulnerabilities associated with ransomware for which plugins and detection signatures aren’t yet available. The study’s authors point out that those include all vulnerabilities associated with ransomware that they identified in their analysis during the past quarter, with two new additions — CVE-2021-33558 (Boa) and CVE-2022-36537 (Zkoss).

VentureBeat has learned that ransomware attackers also prioritize finding companies’ cyber-insurance policies and their coverage limits. They demand ransom in the amount of the company’s maximum coverage. This finding jibes with a recently recorded video interview from Paul Furtado, VP analyst, Gartner. Ransomware Attacks: What IT Leaders Need to Know to Fight shows how pervasive this practice is and why weaponizing old vulnerabilities is so popular today.

Furtado said that “bad actors were asking for a $2 million ransomware payment. [The victim] told the bad actors they didn’t have the $2 million. In turn, the bad actors then sent them a copy of their insurance policy that showed they had coverage.

“One thing you’ve got to understand with ransomware, unlike any other sort of security incident that occurs, it puts your business on a countdown timer.”

Weaponized vulnerabilities spreading fast

Mid-sized organizations tend to get hit the hardest by ransomware attacks because with small cybersecurity budgets they can’t afford to add staff just for security.

Sophos‘ latest study found that companies in the manufacturing sector pay the highest ransoms, reaching $2,036,189, significantly above the cross-industry average of $812,000. Through interviews with mid-tier manufacturers’ CEOs and COOs, VentureBeat has learned that ransomware attacks reached digital pandemic levels across North America last year and continue growing.

Ransomware attackers choose soft targets and launch attacks when it’s most difficult for the IT staff of a mid-tier or small business to react. “Seventy-six percent of all ransomware attacks will happen after business hours. Most organizations that get hit are targeted subsequent times; there’s an 80% chance that you will be targeted again within 90 days. Ninety percent of all ransomware attacks are hitting companies with less than a billion dollars in revenue,” Furtado advised in the video interview.

Cyberattackers know what to look for

Identifying older vulnerabilities is the first step in weaponizing them. The study’s most noteworthy findings illustrate how sophisticated organized crime and APT groups are becoming at finding the weakest vulnerabilities to exploit. Here are a few of the many examples from the report:  

Kill chains impacting widely adopted IT products

Mapping all 344 vulnerabilities associated with ransomware, the research team identified the 57 most dangerous vulnerabilities that could be exploited, from initial access to exfiltration. A complete MITRE ATT&CK now exists for those 57 vulnerabilities.

Ransomware groups can use kill chains to exploit vulnerabilities that span 81 products from vendors such as Microsoft, Oracle, F5, VMWare, Atlassian, Apache and SonicWall.

A MITRE ATT&CK kill chain is a model where each stage of a cyberattack can be defined, described and tracked, visualizing each move made by the attacker. Each tactic described within the kill chain has multiple techniques to help an attacker accomplish a specific goal. This framework also has detailed procedures for each technique, and catalogs the tools, protocols and malware strains used in real-world attacks.

Security researchers use these frameworks to understand attack patterns, detect exposures, evaluate current defenses and track attacker groups.

APT groups launching ransomware attacks more aggressively

CSW observed more than 50 APT groups launching ransomware attacks, a 51% increase from 33 in 2020. Four APT groups — DEV-023, DEV-0504, DEV-0832 and DEV-0950 — were newly associated with ransomware in Q4 2022 and mounted crippling attacks.

The report finds that one of the most dangerous trends is the deployment of malware and ransomware as a precursor to an actual physical war. Early in 2022, the research team saw escalation of the war between Russia and Ukraine with the latter being attacked by APT groups including Gamaredon (Primitive Bear), Nobelium (APT29), Wizard Spider (Grim Spider) and Ghostwriter (UNC1151) targeting Ukraine’s critical infrastructure. 

The research team also saw Conti ransomware operators openly declaring their allegiance to Russia and attacking the US and other countries that have supported Ukraine. We believe this trend will continue to grow. As of December 2022, 50 APT groups are using ransomware as a weapon of choice. Among them, Russia still leads the pack with 11 confirmed threat groups that claim origin in and affiliations with the country. Among the most notorious from this region are APT28/APT29.

Ten new APT Groups started operating last year, each concentrating on a specific strain of ransomware they’re using to weaponize long-standing vulnerabilities worldwide. Source: 2023 Spotlight Report: Ransomware Through the Lens of Threat and Vulnerability Management

Many enterprise software products affected by open-source issues

Reusing open-source code in software products replicates vulnerabilities, such as the one found in Apache Log4j. For example, CVE-2021-45046, an Apache Log4j vulnerability, is present in 93 products from 16 vendors. AvosLocker ransomware exploits it. Another Apache Log4j vulnerability, CVE-2021-45105, is present in 128 products from 11 vendors and is also exploited by AvosLocker ransomware.  

Additional analysis of CVEs by the research team highlights why ransomware attackers succeed in weaponizing ransomware at scale. Some CVEs cover many of the leading enterprise software platforms and applications.

One is CVE-2018-363, a vulnerability in 26 vendors and 345 products. Notable among those vendors are Red Hat, Oracle, Amazon, Microsoft, Apple and VMWare.

This vulnerability exists in many products, including Windows Server and Enterprise Linux Server, and is associated with the Stop ransomware. The research team found this vulnerability trending on the internet late last year. 

CVE-2021-44228 is another Apache Log4j vulnerability. It’s present in 176 products from 21 vendors, notably Oracle, Red Hat, Apache, Novell, Amazon, Cisco and SonicWall. This RCE vulnerability is exploited by six ransomware gangs: AvosLocker, Conti, Khonsari, Night Sky, Cheerscrypt and TellYouThePass.

This vulnerability, too, is a point of interest for hackers, and was found trending as of December 10, 2022, which is why CISA has included it as part of the CISA KEV catalog.

Ransomware a magnet for experienced attackers

Cyberattacks using ransomware are becoming more lethal and more lucrative, attracting the most sophisticated and well-funded organized crime and APT groups globally. “Threat actors are increasingly targeting flaws in cyber-hygiene, including legacy vulnerability management processes,” Ivanti’s Mukkamala told VentureBeat. “Today, many security and IT teams struggle to identify the real-world risks that vulnerabilities pose and, therefore, improperly prioritize vulnerabilities for remediation.

“For example,” he continued, “many only patch new vulnerabilities or those disclosed in the NVD. Others only use the Common Vulnerability Scoring System (CVSS) to score and prioritize vulnerabilities.”

Ransomware attackers continue to look for new ways to weaponize old vulnerabilities. The many insights shared in the 2023 Spotlight Report will help CISOs and their security teams prepare as attackers seek to deliver more lethal ransomware payloads that evade detection — and demand larger ransomware payments.