RiskSense Spotlight Report Exposes Top Vulnerabilities used in Enterprise Ransomware Attacks

Nearly 65% Targeted Servers, More than Half Exploited Vulnerabilities with Less than Critical Scores and Many Ransomware Families Use Same Flaws

SUNNYVALE, Calif.--(BUSINESS WIRE)--#AppSec--RiskSense®, Inc., pioneering risk-based vulnerability management and prioritization, today announced the results of the RiskSense Spotlight Report for Enterprise Ransomware which analyzes the most common vulnerabilities used across multiple families of ransomware that target enterprises and government organizations. Among the key findings, almost 65% targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the WannaCry vulnerabilities are still being used today.

Ransomware cost businesses more than $8 billion in 2018. As a benchmark, the City of Atlanta which was hit by SamSam last year, incurred costs estimated to be in the range of $17 million.

“While consumer ransomware targets Windows and Adobe vulnerabilities, enterprise ransomware targets high-value assets like servers, application infrastructure, and collaboration tools, since they contain an organization’s critical business data,” said Srinivas Mukkamala, CEO of RiskSense. “While not totally unexpected, the fact that older vulnerabilities and those with lower severity scores are being exploited by ransomware illustrates how easy it is for organizations to miss important vulnerabilities if they lack real-world threat context.”

The RiskSense report is the first of its kind to analyze vulnerabilities used by multiple families of enterprise ransomware. The data was gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as findings from RiskSense threat researchers and penetration testers. The study focuses on the top ransomware families targeting enterprises and government organizations. RiskSense researchers identified the 57 vulnerabilities most commonly used by ransomware as well as vulnerabilities that were “trending” in either 2018 or 2019. Trending is defined by RiskSense as vulnerabilities that are being actively abused by attackers in the wild based on activity in hacker forums, Twitter feeds as well as analysis of 3rd party threat intelligence sources.

Report Highlights
Following are some of the key insights from the RiskSense Spotlight Report for Enterprise Ransomware:

Enterprise Ransomware Hunts High-Value Assets
63% (36 out of 57) of the CVEs analyzed were tied to high-value enterprise assets such as servers, application servers, and collaboration tools. 31 of these CVEs were trending in the wild in 2018 or 2019. Targeting these and other critical assets allows attackers to maximize business disruption and demand higher ransom payments.

Low CVSS Scores Can Carry High Risk
52.6% (30 out of 57) of the ransomware vulnerabilities had a CVSS v2 score lower than 8. Of those, 24 of the vulnerabilities were trending in the wild. Surprisingly, some trending ransomware vulnerabilities had scored as low as 2.6. As a result, organizations that use CVSS scores as their exclusive means to prioritize vulnerabilities for patching will very likely miss important vulnerabilities that are used by ransomware.

Many Vulnerabilities Are Repeat Offenders
15 vulnerabilities were used by multiple families of enterprise ransomware. Since the same code is often reused in multiple products, 17 trending vulnerabilities with active exploits in the wild affected more than one technology vendor.

Older Vulnerabilities Still a Problem
While many organizations focus on new vulnerabilities, the research found that vulnerabilities from as far back as 2010 continue to be trending with ransomware in the wild. In total, 31.5% of the analyzed vulnerabilities were from 2015 or earlier (18 out of 57), and 16 of those vulnerabilities continue to be trending in 2018 or 2019.

Universal Remote Code Execution or Privilege Escalation
All of the vulnerabilities analyzed in the dataset either enabled remote code execution (RCE) or privilege escalation (PE). These traits continue to be highly strategic for attackers and should be considered important attributes for prioritizing patching efforts.

‘Eternal’ Exploits Remain Eternal
The MS17-010 vulnerabilities, first popularized by the EternalBlue exploit and the WannaCry ransomware, continue to be used in multiple families of ransomware today including Ryuk, SamSam, and Satan. These wormable vulnerabilities allow attackers to quickly spread from host to host throughout the network. The fact that they continue to trend in the wild and are being used by the most recent and damaging families of ransomware are clear signs that many organizations still have not patched them.

Providing Actionable Intelligence
The overarching goal of the RiskSense Spotlight Report for Enterprise Ransomware is to provide a manageable list of CVEs and best practices to help organizations protect themselves against the top families of enterprise ransomware. The findings were designed to serve as a starting point for businesses that want to implement a ransomware-based approach to patching within their vulnerability management program to reduce their attack surface.

A full copy of the report is available here.

About RiskSense
RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.


Marc Gendron
+1 781.237.0341