During the first half of 2021, many of us concerned with cyber-security, privacy and other issues based on data have witnessed dangerously disruptive ransomware attacks. Having paid close attention to the current on-going research which clearly identifies numerous new and emerging ransomware markers.

The trends, as we all know, show that ransomware only ever expands. All of which confirm that worldwide, organizations will need to begin to defend themselves proactively against such attacks by taking specific, intentional and immediate measures to address well over 250 known vulnerabilities if they hope to stay a step ahead of attackers going into 2022.

While there has indeed been only a slight increase (since the beginning of 2021) in the number of “old” vulnerabilities that have became associated with ransomware… more recent indications show a greater than 15% increase in the number of actively exploited zero-day vulnerabilities. Any of which could block ALL access to an organization’s data, if not entire functionality for days, if not weeks BEFORE vendors get around to even acknowledging the discovery… or they release patches to actually mitigate them.

Additionally there has been a 27% increase in the number of groups adopting ransomware at least in part into their arsenal (mount attacks on targets) and as well as a 4.2% increase in the “families” of ransomware… with six new formal self-identified organizations joining the fray.

This clearly suggests to me, at least, that there is also a much stronger possibility of loose cohorts of attackers using chained attacks to infiltrate a single victim’s network. The most recent instances, almost half of which focused on Remote Code Execution and Privilege Escalation (the absolutely most dangerous of the low scoring vulnerabilities) which attackers can weaponize and exploit highlight the following:

Companies, government and NGO agencies that depend only on updates released by the National Vulnerability Database (NVD) to plan their remediation and patch management efforts need to seriously rethink their current strategy and migrate to a fully proactive risk-based approach to mitigate threats BEFORE they become known trends.

Vendors must proactively establish much better client-centric methods to announce and update zero-day vulnerability status to their client partners. It should occur well before any release of patches but most importantly without the delay of waiting til they appear listed in NVD alerts.

Many internal security teams, while completely well intentioned, tend to prioritize vulnerabilities based almost exclusively on their CVS scoring… Due to increased workloads the response, has naturally been sidelining low-scoring vulnerabilities “til later” — unfortunately that is usually much later… and oft times simply “too late”.

This is becoming even more of a problem because 59% of the vulnerabilities recently (Q2, 2019 through Q2, 2021) associated specifically with ransomware are in fact well down on the Scoring System (fully 60% appearing in the bottom 3rd).

Software developers, both those under contract but particularly internal employees and departments, need to be much more mindful about potential coding errors and misconfigurations, ensuring they, themselves, do not introduce weaknesses that attackers could compromise to launch crippling attacks. As well their employers have to allow for not just possibility but the probability of these issues to occur, not with just more robust “quality recovery” and patches, after the fact… but encouraging, or at least allowing, development teams ample time and resources to look to much more intensive pre-release testing. Potentially even considering actual intentional wargaming their system processes prior to any commercial release.

At the end of the day , the reality is… vulnerabilities have been steadily increasing each quarter, for the last several years AND more and more attackers are finding innovative ways to compromise and exploit board-based weaknesses in software products and devices.

We, as a community, MUST adopt continuous, risk-based vulnerability management to not just detect and then mitigate, but proactively seek-out, prioritize, and remediate ransomware threats, if there is to be hope to keep any of these attackers at bay.