Ransomware Vulnerabilities Spike by 7.6% in Q1 2022

Posted on May 18, 2022 | By Sumeetha Manikandan

Of the 22 new vulnerabilities, 21 were classified as critical or high severity; CSW research also revealed a 7.5% increase in APT groups associated with ransomware.

ALBUQUERQUE, NM - May 18, 2022 New threat research from Cyber Security Works (CSW) has revealed a 7.6% increase in ransomware vulnerabilities since the publication of the Ransomware Spotlight Report in January 2022

In the last quarter, ransomware attacks have made mainstream headlines on a near-daily basis, with groups like Lapsus$ and Conti’s names splashed across the page. Major organizations like Okta, Globant, and Kitchenware maker Meyer Corporation have all fallen victim, and they are very much not alone. The data indicate that increasing vulnerabilities, new advanced persistent threat (APT) groups, and new ransomware families are contributing to ransomware’s continued prevalence and profitability. 

The Top Stats

Published in collaboration with Securin, an attack surface management leader, Ivanti, the creator of the Ivanti Neurons hyper-automation platform, and Cyware, a leading provider of the technology platform to build Cyber Fusion Centers, the Ransomware 2022 Q1 Index Report’s top findings include:

  • 22 new vulnerabilities and nine new weaknesses have been associated with ransomware since January 2022; of the 22, a whopping 21 are considered of critical or high-risk severity

  • 19 (out of 22) of the newly-added vulnerabilities are associated with the Conti ransomware gang

  • Three new APT groups (Exotic Lily, APT 35, DEV-0401) and four new ransomware families (AvosLocker, Karma, BlackCat, Night Sky) are deploying ransomware to attack their targets

  • 141 of CISA’s Known Exploited Vulnerabilities (KEVs) are being used by ransomware operators – including 18 newly identified this quarter

  • 11 vulnerabilities tied to ransomware remain undetected by popular scanners

  • 624 unique vulnerabilities were found within the 846 healthcare products analyzed

The Details

Increase in Ransomware Vulnerabilities

The 7.6% increase in vulnerabilities brings the total number to 310, highlighting the fact that ransomware operators are relentlessly going after weaknesses that could be quickly weaponized. CSW researchers also noticed a 6.8% increase in vulnerabilities trending in the deep and dark web and hacker channels, proving the significance of these vulnerabilities in future ransomware attacks. Our threat intelligence research also predicts a high possibility of exploitation for 19 vulnerabilities, of which 14 were warned as having high threat chatter more than 10 months prior to the time of publishing this report.

Increase in APT Groups Using Ransomware 

 The Q1 research uncovered that three new APT Groups, Exotic Lily, APT 35 and DEV-0401, have started using ransomware to mount attacks on their targets, increasing the overall number of global APT groups from 40 to 43. These groups have long been known to use espionage and are major players in the Russia-Ukraine cyberwar and conflict. With Conti ransomware operators openly pledging their support to the Russian government, it was not surprising that Conti added 27 new vulnerabilities to its arsenal in Q1 2022.

“Today, on average, vulnerabilities are being weaponized within eight days of being published by the vendor. Latencies are dangerous windows of opportunities that are afforded to the attackers, and they spare no time in exploiting them,” said Aaron Sandeen, CEO and co-founder, CSW.  “We also noticed that attackers are going after specific types of weaknesses (CWEs) associated with key products. Organizations will need to utilize attack surface management and perform additional application scanning to understand and prioritize vulnerabilities associated with ransomware.” 

Scanners Still Aren’t Detecting 3.5% of All Vulnerabilities

The report reveals that from the previous quarter, there has been a decrease in the number of undetected vulnerabilities – from 22 to 11. These 11 vulnerabilities are associated with ransomware groups such as Ryuk, Petya, and Locky. 

Healthcare Must be on High Alert

Additionally, CSW researchers analyzed 846 products used in the healthcare sector and investigated 624 unique vulnerabilities that exist in them. Forty of them have public exploits available, while two vulnerabilities, CVE-2020-0601 and CVE-2021-34527, in Biomerieux Operating System and Stryker’s ADAPT, NAV3i, NAV3 surgical navigation platforms, Scopis ENUs, respectively, are being exploited by four ransomware operators - BigBossHorse, Cerber, Conti, and Vice Society. 

Anuj Goel, co-founder, and CEO of Cyware, concluded, “One of the major concerns that has surfaced from this research is the lack of complete threat visibility for security teams due to cluttered threat intelligence available across sources. If security teams have to mitigate ransomware attacks proactively, they must tie their patch and vulnerability response to a centralized threat intelligence management workflow that drives complete visibility into the shape-shifting ransomware attack vectors through multi-source intelligence ingestion, correlation and security actioning.”

To download the full report, visit https://cybersecurityworks.com/ransomware/


About Cyber Security Works 

Cyber Security Works (CSW) is a cybersecurity services company focused on attack surface management and penetration testing as a service. Our innovation in vulnerability and exploit research led us to discover 54+ zero days in popular products, such as Oracle, D-Link, WSO2, Thembay, and Zoho. CSW became a CVE Numbering Authority to enable thousands of bug bounty hunters and play a critical role in the global effort of vulnerability management. As an acknowledged leader in vulnerability research and analysis, CSW is ahead of the game in helping organizations worldwide to secure their business from ever-evolving threats. 

For more information, visit www.cybersecurityworks.com or follow us on LinkedIn and Twitter


About Securin

Founded by security experts, Securin’s Attack Surface Management Platform empowers organizations to discover their assets and prioritize exposures and misconfigurations that could lead to a breach. For more information, visit securin.io.


About Ivanti 

Ivanti makes the concept of the ‘Everywhere Workplace’ possible. In the Everywhere Workplace, employees use myriad devices to access IT applications and data over various networks to stay productive as they work from anywhere. The Ivanti Neurons automation platform connects the company’s industry-leading unified endpoint management, zero-trust security, and enterprise service management solutions, providing a unified IT platform that enables devices to self-heal and self-secure, and empowers users to self-service. Over 40,000 customers, including 96 of the Fortune 100, have chosen Ivanti to discover, manage, secure, and service their IT assets from cloud to edge, and deliver excellent end-user experiences for employees, wherever and however they work. For more information, visit www.ivanti.com and follow @GoIvanti


About Cyware 

Cyware helps enterprise cybersecurity teams build platform-agnostic cyber fusion centers. Cyware is transforming security operations by delivering the Cyber Fusion Center Platform, the next-generation SOC (NG-SOC), for its customers orchestrating the entire post-detection SecOps with automated SOC (ASOC) capabilities. As a result, organizations can increase speed and accuracy while reducing costs and analyst burnout. Cyware's Cyber Fusion solutions make secure collaboration, information sharing, and enhanced threat visibility a reality for enterprises, sharing communities (ISAC/ISAO), MSSPs, and government agencies of all sizes and needs. Visit cyware.com for more information or follow us on LinkedIn and Twitter


Secure your environment from cyber-attacks!

Know How