Ransomware threats grow as new vulnerabilities and threat actors are identified

Researchers at Cyber Security Works, Ivanti, and Cyware identify new vulnerabilities, blindspots in popular network scanners, and emerging Advanced Persistent Threat (APT) groups in a .

By Aaron Sandeen, CEO and co-founder of

Since our earlier this year, both the severity and complexity of attacker tactics continue to grow as we head into the final quarter of 2022. The total number of ransomware vulnerabilities out there has climbed to 323. It is about a 450% increase since ransomware became a prevalent threat in 2019. That is a lot to be on the lookout for!  However, not all ransomware vulnerabilities are the same. Our team has compiled to help you navigate all the ransomware information out there.

Researchers across Cyber Security Works, Ivanti, and Cyware have compiled key figures on the latest data compiled during the second and third quarters of this year. In addition to new vulnerabilities, researchers found that popular network scanners routinely fail to identify known vulnerabilities, three new Advanced Persistent Threat (APT) groups have emerged, and the CISA Known Exploited Vulnerabilities (KEV) catalog does not list about half of the known vulnerabilities associated with ransomware.

While the findings may appear to be signs of a worsening cybersecurity landscape, it is not all doom and gloom. Of the 323 total ransomware vulnerabilities found in the wild, a MITRE ATT&CK kill chain exists for 57 of them. Documentation continues to grow as the industry comes together to collectively address the threat of ransomware. With the release of our report, we hope to share this knowledge to fight the ransomware menace.

New vulnerabilities, new threat actors

Our team of researchers found 13 new vulnerabilities associated with ransomware in Q2 and Q3, 10 of which possess a Common Vulnerability Scoring System (CVSS) v3.0 “critical” severity score. Although four vulnerabilities were just identified they have existed in the wild for a little over a year. This highlights the importance of continuous network monitoring.

Vulnerabilities CVE-2022-26352 (Zoho), CVE-2021-40539 (SonicWall), and CVE-2021-20023 (DotCMS) allow adversaries to infiltrate web applications and remotely execute malicious code. CVE-2022-26352 (Zoho) also serves a double purpose as an easy entry point for attackers and allows them to gain elevated privileges.

In addition to finding the latest vulnerabilities, we document the movements of APT groups each quarter to keep watch as they continually add ransomware capabilities to their arsenal. Over the past two quarters, we identified Andariel, Tropical Scorpius, and DEV-0530 utilizing ransomware against their victims.

  • Andariel – Also known as the Lazurus group, Andariel is suspected to have originated from North Korea. Its number of attacks has grown considerably. Deploying the Maui ransomware, Andariel has targeted crypto platforms, both private and public companies across North America, Europe, and Asia

  • Tropical Scorpius – With unknown origins, Tropical Scorpius has been documented to specifically target American organizations in government, manufacturing, healthcare, finance, and high tech. This group is known to favor the Cuba ransomware payload.

  • DEV-0530 – This group also has ties to North Korea and is suspected to collaborate with the Andariel group in coordinating attacks.

Blindspots in popular scanners

Network scanners are a relatively cheap and easy solution to monitor your organization’s assets with little active management. However, after testing scanners offered by Nessus, Nexpose, and Qualys, we found they can miss up to 18 ransomware vulnerabilities. To categorize the severity of each vulnerability, we used the CVSS V3 rating system. However, this poses a problem as it only applies to vulnerabilities discovered after 2015. Using proprietary Machine Learning frameworks, CSW was able to derive a severity score equivalent to CVSS V3 (or V2 where V3 was unavailable).

Of the 18 vulnerabilities, here is what we found:

  • Once deriving severity ratings, 11 out of 18 vulnerabilities ranked Critical or High but no scanner plugins are available to detect them across Nessus, Nexpose, and Qualys scanners

  • Interestingly, two vulnerabilities (CVE-2019-9081 and CVE-2015-2551) are still missing severity ratings as the National Vulnerability Database rejected them. CVE-2019-9081 is actively exploited by Satan and Mailto ransomware groups, and CVE-2015-2551 by multiple groups.

Ransomware vulnerabilities missing from CISA KEV catalog

CISA’s KEV catalog is the federal government’s continuous list of vulnerabilities that hackers are known to exploit. The list was created on November 03, 2021, and only started with 287 vulnerabilities. Today its collection has soared to 800+ and is only growing larger as it is updated monthly.

All public companies, government bodies, and federal agencies are mandated to prioritize and patch all vulnerabilities found in the KEV catalog. It is also a great introduction to vulnerability management strategies for private organizations. Although CISA has documented 199 vulnerabilities associated with ransomware, the catalog is currently missing 124 of them.

Earlier this October, CISA released a advising all government agencies to improve asset visibility and vulnerability detection — highlighting the necessity of vulnerability enumeration beyond the scope of the catalog. This requires routine scanning of an organization’s network perimeter to stay ahead of the latest threats.

Asset visibility and vulnerability detection is easier said than done. We recommend learning exactly how ransomware groups deploy and execute their attacks to know where to look and how to think like the adversary. To make this easier for network security teams, CSW’s research team employed the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) kill chain to map exactly how threat groups exploit vulnerabilities. We did each step of the way for 57 vulnerabilities. Via these vulnerabilities, threat groups can completely take control of a system from end to end, deploy any code, escalate privileges within the network, and steal data. To learn more about our process, read more about it or out to us directly.

I hope you find this information as enlightening as it has been for me and the CSW team. Although a pervasive menace, ransomware can be fought and defeated by utilizing data, intelligence, expertise and a collaborative security community.

Clouded Perceptions: Debunking private cloud security myths

Clouded Perceptions: Debunking private cloud security myths

By Jon Lucas, Director,

According to research from Cision, the cloud computing market a further £344 billion by the final quarter of 2025, taking the market past the £600 million mark. To put that into perspective, it represents a compound annual growth rate (CAGR) of around 17.5%, and it’s the sharpest incline we’ve seen when it comes to the adoption of cloud services. Naturally, some of that incline will be due to the fallout from the pandemic, with businesses embracing cloud solutions in order to facilitate a new era of hybrid, flexible working. But it’s not just desk-based industries adapting to remote productivity that are leaning heavily into the cloud – it’s happening across the board. At the end of 2021, s of all enterprise infrastructure was cloud-based, with 81% of business leaders saying they had a multi-cloud strategy in place or in the works.

The takeaway? Cloud computing isn’t just a one-off fix to cope with the “new normal”, it’s the central pillar on which companies are building their entire futures, regardless of industry. From office blocks to haulage companies, universities to restaurants, our processes are gradually moving online. With all businesses across a variety of industries now eyeing up the cloud as part of their future, what better time to debunk some of the myths around the technology? Here are just some of the fictions that persist around cloud technology and why you shouldn’t buy into them.

My data isn’t secure on the cloud

This is one of the biggest turn-offs for business owners, particularly those that aren’t necessarily digitally savvy. The thinking behind the myth is sound – more exposure means more risk, right? But keeping your data locked away in your office is akin to stuffing money under your mattress instead of using a bank. It may feel safer because it’s closer, but it’s actually at its most vulnerable. It’s also very expensive to maintain even a moderate level of security. Companies that keep their data on-site have to employ staff to constantly monitor their data, ensuring that their servers are patched and up-to-date at all times. Using a private cloud provider means that all security updates and patches are handled externally, leaving your business with little more than a manageable monthly cost.

Yes, but private cloud security isn’t as flexible as on-site security

While on-premise security might feel like it affords more freedom, that freedom comes at such high costs that it virtually limits your ability to innovate. If a business with an on-premise cloud solution wanted to upgrade its servers or build in new features, for instance, it would have to foot the bill on its own, including the need for any additional hardware, software and other resources. That makes staying ahead of the curve financially prohibitive. A private cloud solution, on the other hand, will provide access to the very latest security patches and features via a subscription-based model, and they can easily be configured to your company’s specific needs.

Private cloud security is prone to more breaches than on-premise

This is a myth because your business is vulnerable to cyberattacks and breaches regardless of its setup. Just by virtue of being in the cloud, you get exposed to potential breaches. The important factor is how you’re able to detect and respond to those breaches. A full-fledged private cloud solution will allow your remote workers, for instance, to use technology such as virtual machines to ensure that, no matter where they log on from, they fall under the company’s protection. On the other hand, with an on-premise solution, your business is less agile and makes itself vulnerable whenever your workers decide to log on from home or another remote location.

Private cloud security is too much of a headache to manage

Another falsehood. With an on-premise solution, you and your team are responsible for your own security and compliance. It’s costly, requires in-house expertise that’s increasingly thin on the ground, and will throw up plenty of challenges throughout the implementation period. Most private cloud providers, however, will have dedicated security teams that will talk your staff through each and every step of the setup, ensuring that your business can stay productive while the migration takes place. No downtime, no headaches and no fuss.

When all is said and done, private cloud security is a far more cost-effective and easy-to-manage solution than trying to do all of the heavy lifting yourself. What’s more, moving to a private cloud solution isn’t the great leap that many businesses think it is. With the right partner in place, the migration from on-premise to a private cloud solution will be painless and barely noticeable to employees working ‘on the ground.’ Furthermore, once completed, you will enjoy enhanced security, increased control, greater efficiency and none of the mess usually associated with keeping on-premise solutions up-to-date and cyber-fit.


How to Get Out of a Scam

How to Get Out of a Scam

Even if you’ve never been scammed before, you may know somebody who has. Technology has made us more productive and connected, but it also puts us at risk of exploitation.

2020 was a high-water mark for online scams and fraud. The Federal Trade Commission (FTC) received . Consumers lost $3.3 billion throughout the year, or $1.8 billion more than in 2019. Some 34% of those who filed a report lost money, another figure up significantly since 2019.

Not every scam is strictly about money. Some people have been unlucky enough to lose their material property, too. Here are five things to remember if you’ve been scammed.

1. If You Have Provided Access to Your PC

Personal computers are our planners and oracles. They contain a wealth of information like credit card numbers, online passwords, photos, intellectual property, work documents and more.

Giving someone temporary access to your PC may mean they can control it remotely later, in addition to profiting off your information. Here’s what you should do immediately:

  • Reset your most sensitive passwords for local and online accounts.
  • Run a complete antivirus/anti-malware scan and update software.
  • Contact an IT professional or other trusted party to check your machine for signs of tampering.

It’s also important to update your machine’s operating system to ensure any known security exploits are patched.

2. If You’ve Transferred Money to Someone

Fraud attempts like “vishing” and “smishing” involve the perpetrator making contact over voicemail or SMS and impersonating someone else, like a bank manager or law enforcement. If somebody like this starts demanding payments, it can be difficult to keep your cool.

If you believe a scammer has convinced you to part with your credit card number or send them money, so they can reverse the charges and investigate. If the transfer happened within a mobile app, report the fraudulent activity to the developers and bank associated with your linked credit card.

3. If You Handed Over Personal Information

Protected personal information (PPI) like Social Security numbers, credit card numbers, home and email addresses, and medical records can prove incredibly lucrative for cybercriminals. They can use it to achieve widespread access to your personal life and finances.

Most fraud attempts begin with cybercriminals phishing for your personal information. If this happens, go to and take proactive steps to secure your identity. If the data you handed over was an account credential, change the password immediately.

4. If Your Credit Card Has Been Skimmed

Card skimming declined during the long months of the pandemic – likely due to less in-person shopping. Still, get their credit cards skimmed at gas pumps and other point-of-sale locations each year.

If you use a credit card to pay for things, this could happen to you. Here’s what to remember about this type of fraud and what you should do about it:

  • It’s often possible to spot a credit card sniffer or detect signs of tampering at gas stations and self-serve locations.
  • Use contactless payment options when you can, as these don’t use technology that’s susceptible to skimming.
  • If you believe somebody has skimmed your card and begun using it, flag the suspicious charges right away and call your bank.

Banks have zero-liability, zero-tolerance policies to protect their customers. This means you’re not liable for fraudulent charges, and you can get your money back if you sound the alarm right away.

5. If You Sign on the Dotted Line

Sometimes, we manage to reason our way into being scammed. These can be some of the most difficult scams to get out from under, taking many forms.

In some cases, a that owning a fraction of a vacation property is a wise long-term investment. If you want to get out, you might have to contact a third party for legal assistance.

You may buy into a recurring subscription or donation with no obvious way to cancel or get out of it. Thankfully, tools allow people to use a credit card with a “burner” number. If the cardholder needs to cut off the flow of funds and interrupt a fraud attempt, while leaving their real credit card information untouched.

6. If You’ve Lost Control of One of Your Accounts

We use online accounts to communicate with others and carry out personal, financial and professional activities. Any tampering requires a quick resolution.

Here are some steps to take if you’ve been hacked:

  1. Update all of your device firmware and software.
  2. Contact the account provider through their Support page and tell them what’s happened. There may already be a FAQ page concerning hacked or compromised accounts.
  3. Change the password if you still have access to the account.
  4. so nobody else can access your account without a secondary point of contact, like a smartphone.

If the account in question is your email, pay extra-close attention to the settings panel after you regain control. The cybercriminal may have changed the settings to automatically forward your mail someplace else.

Know How to Recover After a Scam

Getting scammed can be a scary experience. Luckily, there are tools and support systems in place to help individuals out of a jam.