In its recently released Ransomware Incident Risk Insights Study, partially funded by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Cyentia Institute examined over 14,000 recent security incidents to better understand trends in ransomware attacks.
Over the past four years, ransomware has become one of the largest problems in the security industry. As Cyentia states in its report, “few cyber threats have inspired more fear, uncertainty, and doubt than ransomware in recent years.” As ransomware groups have become more organized and sophisticated, widespread attacks targeting healthcare, manufacturing, and education, have dominated headlines. Ransomware campaigns like TellYouthePass, MOVEit, Deadbolt, and ESXiArgs are among the many recent attacks that have gripped news cycles.
Ransomware has also drawn attention from governments, who observe nation-state-affiliated actors turning to ransomware to carry out state-sponsored objectives. For example, in its Joint Cybersecurity Advisory on North Korea, the FBI recently confirmed that state-sponsored North Korean threat actors are using ransomware campaigns targeted at U.S. healthcare organizations to fund their cyber espionage activities.
Source: Cyentia Institute Ransomware Risk Incidents Study
Cyentia’s new report quantifies what headlines have indicated: ransomware attacks are increasing, both in volume and as a percentage of all security incidents. From 2019-2023, ransomware was the second most frequently deployed cyber attack globally, accounting for 30% of all publicly-reported incidents. Consider that in 2015, only 1% of publicly reported incidents were attributed to ransomware.
In terms of financial impact, Cyentia also finds that no other security incident type rivals the magnitude of losses tied to ransomware. Within the last five years, financial losses from ransomware attacks amounted to more than $270 billion.
Organizations and governments have real reason to be concerned about the rising risk and impact of ransomware. However, Cyentia’s analysis on how ransomware groups are gaining initial access to networks sheds light on what organizations can do to take proactive action against these attacks.
Exposed Public-Facing Assets Are Top Points of Entry
Cyentia finds that exploited, public-facing assets are the number one initial access vector for ransomware, carrying substantially higher losses than any other initial access vector ($35.3M typical loss from exploitation of public-facing application vs. $24.7M typical loss from phishing).
Source: Cyentia Institute Ransomware Incident Risk Incidents Study
It’s clear that ransomware groups see vulnerable Internet-facing assets as low-hanging fruit and are increasingly targeting these assets to gain access to enterprise networks. Vulnerable and mismanaged Internet assets are attractive to bad actors because they can be easily found online and directly attacked. In addition, many of these assets exist outside the purview of security teams — Censys estimates that up to 80% of organizations’ external attack surfaces are unknown to IT and security teams.
Prioritization: A Critical Challenge for Security Teams
As shifts in digital infrastructure have grown and diversified attack surfaces in recent years, many organizations are confronted with a significant number of assets that need to be patched and prioritized.
Security teams, in turn, are challenged to swiftly address these exposures before attackers take action. After a vulnerability is announced, teams typically only have a small window of time to patch affected assets before being hit by an attack. And without complete, accurate visibility into the attack surface, teams also run the risk of missing exposed assets altogether or failing to prioritize the most critical vulnerabilities.
These inadequate prioritization efforts leave organizations exposed, which is why an effective ransomware defense strategy must focus on taking immediate action to address the vulnerabilities that ransomware groups will exploit.
Defending Against Ransomware with Censys Attack Surface Management
Censys Attack Surface Management helps organizations take immediate action by providing the most comprehensive, accurate, and up-to-date visibility into their attack surfaces. This means security teams can quickly identify the assets on their attack surface that are affected by vulnerabilities attackers will target.
Unlike other ASM solutions, Censys is powered by proprietary internet intelligence that is unrivaled in depth, breadth, and accuracy. No other ASM solution offers the same view of global internet infrastructure. This view is what allows Censys to discover 65% more of organizations’ attack surfaces than competitors.
Censys ASM specifically helps security teams defend against ransomware by providing:
Continuous Asset Discovery
Defending against ransomware starts with continuous asset discovery. Censys ASM begins with seeds that serve as inputs to automatically discover and attribute public-facing assets on an organization’s attack surface, including hosts, services, websites, certificates, and domains. Unlike any other ASM solution on the market, Censys ASM finds new nodes on the Internet in less than one hour, providing users with the freshest and most up-to-date attack surface discovery on the internet.
Censys also integrates with cloud service providers and ingests new assets up to 6x per day to improve cloud asset visibility. Censys’ continuous seed discovery solution searches for new seeds daily, and notifies security teams when a new subsidiary is acquired, often before they are informed by the business. Additionally, Censys indexes over 11B+ x.509 certificates for comprehensive pivoting to and through certificates, so that users can discover names and IP addresses listed in associated DNS A records.
Comprehensive Asset Inventory
Censys builds a comprehensive inventory of all of an organization’s public-facing assets, helping security teams discover unmanaged assets often introduced through cloud deployments and Shadow IT. Censys users are in control of their inventory and are empowered to search within the inventory across 2000+ fields, including 65K ports and 5.1Bn services. Censys also detects services on non-standard ports using automatic protocol detection to help teams find services made available by ransomware that may be intentionally hidden. Teams can also proactively manage their attack surface by leveraging inventory search queries and alerting to uncover unmanaged assets before ransomware groups do.
Risk Prioritization
Censys ASM uses rich inventory and scan data to fingerprint over 500 different risk types, from database exposures to software vulnerabilities to TLS/SSL certificate misconfigurations and web application headers. Censys also helps identify over 11,000+ unique products across 1,000 vendors on an organization’s attack surface to discover unmanaged web applications and software before attackers do. The Censys Research Team continuously adds to that fingerprint list and actively follows emerging threats to help security teams decrease their response times to discovering and remediating assets with zero-days and known exploited vulnerabilities. Censys risks can further be used to map ransomware group TTPs to specific weaknesses, so that security teams can remediate exposed assets before ransomware groups attack them.
Rapid Response
The Censys Rapid Response program enables Censys ASM users to take immediate action in response to new vulnerabilities. Within approximately 24-72 hours of the release of a zero-day vulnerability that has a 9 or 10 CVSS score and is a RCE or privilege escalation – which are vulnerabilities typically leveraged for ransomware – Censys fingerprints specific, affected software versions for a timely grasp of the vulnerability’s scope. Ransomware Rapid Response efforts prioritize analysis of vulnerabilities in edge devices and software that are known targets of ransomware. Following Censys’ analysis, Censys ASM users are directly notified within their ASM workspaces or by email as to whether any assets on their attack surface are impacted by the zero-day vulnerability, so that they can begin swift remediation. The Censys Research Team also publishes in-depth Rapid Response articles that further describe the nature of the zero-day vulnerability, its significance to organizations, and impact observed. Examples of the team’s Rapid Response reporting on vulnerabilities that ransomware groups have exploited include TellYouthePass, MOVEit, Deadbolt, and ESXiArgs.
Censys Attack Surface Management enables organizations to shift left, providing the visibility needed to take immediate action and identify, prioritize, and patch the vulnerabilities that ransomware groups will exploit. Censys ASM replaces antiquated, point-in-time asset inventories with continuous discovery, along with a comprehensive asset inventory that security teams can control. With Censys ASM, security teams benefit from attack surfaces that are updated daily, as well as the ability to leverage rescans to objectively validate remediation on-demand. The leading internet intelligence that powers Censys ASM further gives security teams assurance that they have the most accurate, up-to-date view of everything they own.
Proactive Defense Starts with Censys ASM
The Cynetia Institute’s reporting on ransomware tactics illuminates a critical opportunity organizations of all sizes and industries have to reduce their ransomware risk. By effectively prioritizing and patching vulnerabilities with Censys ASM, security teams can take meaningful, measurable action to manage their exposed, public-facing assets. In turn, they can limit the likelihood of a successful ransomware attack – and help their organizations stay out of the headlines.
Censys ASM
Interested in learning more about how Censys’ unmatched view of global internet infrastructure has been used to defend against ransomware? The same internet intelligence that helps Censys ASM customers identify exposures on their attack surface also allows the Censys Research Team to observe and investigate ransomware campaigns as they unfold around the world. Our team’s extensive reporting on the ESXiArgs and Deadbolt ransomware campaigns are just some of the many research articles that illustrate the power of Censys internet intelligence.