Almost 65% of top vulnerabilities used in enterprise ransomware attacks targeted high-value assets like servers, close to 55% had CVSS v2 scores lower than 8, nearly 35% were old (from 2015 or earlier), and the vulnerabilities used in WannaCry are still being used today, according to RiskSense.
The data was gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as findings from RiskSense threat researchers and penetration testers.
“While consumer ransomware targets Windows and Adobe vulnerabilities, enterprise ransomware targets high-value assets like servers, application infrastructure, and collaboration tools, since they contain an organization’s critical business data,” said Srinivas Mukkamala, CEO of RiskSense.
“While not totally unexpected, the fact that older vulnerabilities and those with lower severity scores are being exploited by ransomware illustrates how easy it is for organizations to miss important vulnerabilities if they lack real-world threat context.”
Enterprise ransomware hunts high-value assets: 63% (36 out of 57) of the CVEs analyzed were tied to high-value enterprise assets such as servers, application servers, and collaboration tools. 31 of these CVEs were trending in the wild in 2018 or 2019. Targeting these and other critical assets allows attackers to maximize business disruption and demand higher ransom payments.
Low CVSS scores can carry high risk: 52.6% (30 out of 57) of the ransomware vulnerabilities had a CVSS v2 score lower than 8. Of those, 24 of the vulnerabilities were trending in the wild. Surprisingly, some trending ransomware vulnerabilities had scored as low as 2.6.
As a result, organizations that use CVSS scores as their exclusive means to prioritize vulnerabilities for patching will very likely miss important vulnerabilities that are used by ransomware.
Many vulnerabilities are repeat offenders: 15 vulnerabilities were used by multiple families of enterprise ransomware. Since the same code is often reused in multiple products, 17 trending vulnerabilities with active exploits in the wild affected more than one technology vendor.
Older vulnerabilities still a problem: While many organizations focus on new vulnerabilities, the research found that vulnerabilities from as far back as 2010 continue to be trending with ransomware in the wild. In total, 31.5% of the analyzed vulnerabilities were from 2015 or earlier (18 out of 57), and 16 of those vulnerabilities continue to be trending in 2018 or 2019.
Universal remote code execution or privilege escalation: All of the vulnerabilities analyzed in the dataset either enabled remote code execution (RCE) or privilege escalation (PE). These traits continue to be highly strategic for attackers and should be considered important attributes for prioritizing patching efforts.
“Eternal” exploits remain eternal: The MS17-010 vulnerabilities, first popularized by the EternalBlue exploit and the WannaCry ransomware, continue to be used in multiple families of ransomware today including Ryuk, SamSam, and Satan. These wormable vulnerabilities allow attackers to quickly spread from host to host throughout the network.
The fact that they continue to trend in the wild and are being used by the most recent and damaging families of ransomware are clear signs that many organizations still have not patched them.