Ransomware has been known to leverage various known vulnerabilities to gain access to systems. Some vulnerabilities are more common in ransomware attacks, so security researchers at RiskSense decided to analyze the most common ones which are used across multiple families to target enterprise and government organizations.
The researchers discovered that nearly 65% of them targeted high-value assets such as servers. 35% of the vulnerabilities were old, from 2015 or earlier, with the WannaCry flaws still deployed today.
According to the findings, “ransomware cost businesses more than $8 billion in 2018. As a benchmark, the City of Atlanta which was hit by SamSam last year, incurred costs estimated to be in the range of $17 million.”
It is interesting to note that there is a difference in the type of vulnerabilities used by consumer ransomware and enterprise attacks. In the first case, individual users are compromised with the help of Windows and Adobe flaws, while enterprise targets are hit at the server end. In enterprise attacks, application infrastructure and collaboration tools are also leveraged, as they contain critical data.
“While not totally unexpected, the fact that older vulnerabilities and those with lower severity scores are being exploited by ransomware illustrates how easy it is for organizations to miss important vulnerabilities if they lack real-world threat context,” noted Srinivas Mukkamala, CEO of RiskSense.
How was the data gathered?
From various sources such as RiskSense proprietary data, publicly available threat databases, plus findings from RiskSense threat researchers and penetration testers. The analysis is focused on the top ransomware families targeting enterprises and government organizations. The researchers identified 57 vulnerabilities that are most common in ransomware attacks against enterprises, as well as some “trending” vulnerabilities in 2018 and 2019.
Here are some interesting findings from the report:
Enterprise Ransomware Hunts High-Value Assets
63% (36 out of 57) of the CVEs analyzed were tied to high-value enterprise assets such as servers, application servers, and collaboration tools. 31 of these CVEs were trending in the wild in 2018 or 2019. Targeting these and other critical assets allows attackers to maximize business disruption and demand higher ransom payments.
Low CVSS Scores Can Carry High Risk
52.6% (30 out of 57) of the ransomware vulnerabilities had a CVSS v2 score lower than 8. Of those, 24 of the vulnerabilities were trending in the wild. Surprisingly, some trending ransomware vulnerabilities had scored as low as 2.6. As a result, organizations that use CVSS scores as their exclusive means to prioritize vulnerabilities for patching will very likely miss important vulnerabilities that are used by ransomware.
Many Vulnerabilities Are Repeat Offenders
15 vulnerabilities were used by multiple families of enterprise ransomware. Since the same code is often reused in multiple products, 17 trending vulnerabilities with active exploits in the wild affected more than one technology vendor.
More information is available in the official report.