contact us

Which Vendors Have the Biggest Impact on Ransomware Risk?

by Nov 6, 2019

Which Vendors Have the Biggest Impact on Ransomware Risk?

We recently published our latest Spotlight Report, which takes a long look into the vulnerabilities used by ransomware in real-world attacks against enterprises and state and local governments. This was a particularly interesting report to be a part of because it gave some really interesting insights into how ransomware causes damage to an organization.

While many ransomware attacks can begin via phishing or by taking advantage of open RDP ports, much of the real damage occurs when attackers spread from that initial infected host to compromise key assets like servers and application infrastructure. And vulnerabilities play a key role in all phases of a ransomware attack from the initial infection, to lateral movement, to ultimately compromising these high value assets. And as a result, making smart patching decisions is one of the most proactive things an organization can do to reduce their risk from ransomware.

With that in mind, we wanted to highlight some of the key vendors covered in the report and some of the take-aways that IT and security teams can use to prioritize their patching efforts.

Seeing a Different Side of Microsoft Vulnerabilities

Microsoft had the most total vulnerabilities of any vendor in the report with 27, as well as the most vulnerabilities that were trending in the wild with 24. “Trending” is a RiskSense designation assigned vulnerabilities that are being used in active campaigns in the wild based on intelligence from RiskSense researchers and third party sources.

And while it is probably not surprising to see that Microsoft led the pack, the types of vulnerabilities are probably not what most would expect to see. Instead of the regular raft of browser or Microsoft Office vulnerabilities, half of the Microsoft vulnerabilities had the potential to impact high value assets. In particular, 6 vulnerabilities directly impacted Windows Server.

Additionally, 6 CVEs were related to Microsoft SMB. These vulnerabilities are particularly notable as they are related to MS17-010, which are the wormable vulnerabilities originally made famous by the EternalBlue exploit and WannaCry. These vulnerabilities are still being used extensively by ransomware to spread through an organization to do the most damage possible and serve as a reminder that organizations need to be patching their internal assets in addition to externally facing assets. Ryuk, SamSam, Sodinokibi, and GandCrab were some of the more notable ransomware families that targeted Microsoft in particular.

Web and Application Servers Under Attack

As our analysis showed, enterprise-focused ransomware tends to hunt for high-value assets and web servers and application servers were some of the top targets. These assets are particularly notable, because in addition to highly valuable in their own right, they also provide attackers with an externally-facing target, making them ideal for initial infection.

RedHat’s JBoss application servers led the way with 8 vulnerabilities. Of note JBoss vulnerabilities as old as 2010 (CVE-2010-0738, CVE-2010-1428) continue to be trending in the wild and used by multiple families of ransomware including SamSam and Satan. Similarly, Apache Struts and Tomcat were also popular targets with 4 CVEs, while 3 CVEs were tied to Oracle WebLogic Server. All of these vulnerabilities were trending in the wild and were notably used by SamSam, Gandcrab, and Sodinokibi.

Oracle Vulnerabilities Have Massive Reach

Oracle only had 5 vulnerabilities overall, but 2 of those vulnerabilities related to Oracle JRE had an incredible downstream impact. Ultimately 15 different vendors were affected by these Java vulnerabilities including VMware, Amazon, and Apple as well various operating systems including Centos and Debian. These vulnerabilities were widely used in the wild by a variety of ransomware families including GandCrab, Sodinokibi, Princess Locker, and Cerber.

And once again, these Java vulnerabilities were relatively old (CVE-2012-0507, CVE-2012-1723) yet remain very much in play in modern attacks. As with the JBoss vulnerabilities mentioned earlier, this is a reminder that while many organizations rush to patch the latest vulnerabilities, sometimes the old ones can come back to bite you.

These are just a few of the insights you can find in the full report, along with detailed lists of relevant CVEs and recommendations to help defend your organization from ransomware. Read it here.

Vendor Vulnerabilities