The state of ransomware in Q1 2023.

Researchers at Securin, Ivanti and Cyware have released their Ransomware Index Q1 2023 report, and the findings show a frightening increase in ransomware attacks and attendant data breaches.

More breaches in a month than in three previous years.

While instances of ransomware and extortion have been increasing over the years, March of 2023 saw more data breaches than the last three years combined. “Attackers continually evolve their techniques to mount sophisticated attacks on enterprises to extort ransom, disrupt operations, and sabotage critical infrastructure," the researchers write. They also explain that the number of vulnerabilities which these ransomware groups can exploit are on the rise as well. “Each quarter, the number of vulnerabilities exploited by ransomware is steadily increasing… With this addition, 7,444 products and 121 vendors are now vulnerable to ransomware attacks; overall, ransomware gangs are exploiting 356 vulnerabilities.” The average cost of a ransomware attack is also trending upward: “the average cost of an attack rose to $4.54 million in 2022.

Many vulnerabilities are not being tracked. 

The report found that scanning solutions offered by some major vendors were not able to detect “18 high risk vulnerabilities exploited by 62 ransomware gangs, including notorious groups like Hive, GandCrab, Locky, Qlocker, and Ryuk.” The researchers provided an “early warning” for three vulnerabilities that organizations should look out for: 

• CVE-2022-22279 - This was used to bypass multi-factor authentication by bLockBit and has a CVSS rating of 5. This exploit is not in CISA’s Known Exploited Vulnerability catalog yet.
• CVE-2023-0669 - Fortra GoAnywhere MFT, this has been in the news and hackers were able to exploit 130 companies in 10 days using this exploit. 
• CVE-2022-27510 - “The vulnerability exploitation allows a complete takeover of the system. Royal ransomware started exploiting the vulnerability even before there was a public exploit and is not a part of CISA KEVs.”

Generative AI-based ransomware is coming soon. 

Srinivas Mukkamala, Chief Product Officer at Ivanti, said "We are only now starting to see the beginning of threat actors using AI to mount their attacks. With polymorphic malware attacks and copilots for offensive computing becoming a reality, the situation will only become more complex. While not seen in the wild yet, it is only a matter of time before ransomware authors use AI to expand the list of vulnerabilities and exploits being used. This global challenge needs a global response to truly combat threat actors and keep them at bay.”

Recommendations to keep an organization's data safe. 

Researchers recommend that organizations regularly and securely back their data up. This enables a ransomware victim to continue operating while they remediated the effects of an attack, which reduces financial strain and pressure to give in and pay the ransom. It’s also critically important to keep software and systems up-to-date with the latest security patches. While zero-days are still effective ways to gain entry, companies can usually produce a rapid fix for the exploit and push it to customers very quickly. The researchers also emphasize the human dimensions of security, educating employees to withstand phishing attacks. “Educate employees,” the researchers write. “We cannot stress this enough. Ransomware often enters an organization through phishing emails and other social engineering tactics. Educating employees on how to recognize and avoid these types of attacks can help prevent ransomware from infiltrating the network.”