contact us

Enterprise Ransomware In The Spotlight

by Sep 24, 2019

Enterprise Ransomware In The Spotlight

Ransomware is in the midst of a massive resurgence, and in most cases, enterprises are the prime target of attack. Unlike the more opportunistic and consumer-focused ransomware of the past, these newer campaigns have become more targeted, patient, and have zeroed in on high-value enterprise assets in order to cripple the operation and drive higher-value ransom demands. Unfortunately for enterprises, the ransom itself is often a drop in the bucket compared to lost productivity and the costs of clean up and recovery.

As a result, preventing ransomware is one of the most critical tasks for IT and security teams today. And like all threats, vulnerabilities play a critical role in ransomware. Ransomware uses vulnerabilities across the lifecycle of an attack including to gain initial access to a network, to spread internally, and to immobilize key assets and data. This makes ransomware-focused patching one of the most important and proactive steps an organization can take to reduce their risk and potential damage from these critical threats.

To this end, our most recent RiskSense Spotlight Report, “Enterprise Ransomware – Through the Lens of Threat and Vulnerability Management” puts some of the most prolific enterprise-focused ransomware families under the microscope to understand the vulnerabilities they use most in the wild. This analysis is one of the first of its kind and brings new insight into enterprise ransomware including:

  • Cross-family analysis of multiple types of ransomware including Ryuk, SamSam, Sodinokibi, and more to understand the common vulnerabilities they use and also how they are unique.
  • Real-world focus to highlight the ransomware vulnerabilities that have been trending in the wild as part of active malware campaigns.
  • Prescriptive and actionable insights that show IT and security teams the specific vulnerabilities that are the most important or that can be easy to miss.

Key Findings You Can Put to Use

With our tight focus on enterprise ransomware, we were able to identify a variety of insights that can be useful to most any organization’s patching efforts. The points below provide just some of the highlights that can be found in the full report:

  • Enterprise Ransomware Means Enterprise Targets: 63% of the trending ransomware vulnerabilities targeted key enterprise infrastructure such as servers, application infrastructure, or collaboration tools. This means organizations need to think beyond the traditional Microsoft and Adobe vulnerabilities, and also focus on these high-value assets.
  • Many Vulnerabilities Can Fly Under the Radar: Organizations often focus on patching the most recent CVEs with the highest CVSS scores. However, our data shows how this can be overly simplistic and lead to problems. Over half of the trending vulnerabilities used by ransomware had CVSS v2 scores lower than 8. Likewise, older vulnerabilities are still being used today with almost a third of vulnerabilities being from 2015 or earlier, with vulnerabilities as old as 2010 continues to be used in the wild.
  • Beware the Ransomware Repeat Offenders: By analyzing across multiple ransomware families, we identified 15 trending vulnerabilities that are targeted by more than one family of ransomware. These vulnerabilities effectively make up a list of ransomware’s greatest hits and should be a priority for patching.
  • Lessons From WannaCry Haven’t Been Learned: Two years after the WannaCry outbreak, the MS17-010 vulnerabilities continue to be trending with multiple families of enterprise ransomware. These wormable vulnerabilities let attackers spread through the environment, and should be a reminder that patching of internal vulnerabilities needs to be a priority as well.
  • Organizations Need Better RDP and SMB Hygiene: Organizations continue to provide inviting targets for ransomware by exposing RDP and SMB to the internet. In general, these services shouldn’t be publicly exposed and in the rare cases that they are, they should be heavily secured.

Focused Risk-Based Vulnerability Management to Ransomware

For most organizations, there are simply more vulnerabilities than they have the time and resources to patch. This makes it important for organizations to cut through the clutter and pinpoint the vulnerabilities that carry the greatest risk to the enterprise. In this report, we turned the traditional approach on its head and instead focused on the vulnerabilities that have been linked to the top enterprise ransomware families. This produced a highly focused and manageable list of CVEs that are directly tied to ransomware risk.

It also provided a great example of the how risk-based vulnerability management, or RBVM, needs to continue to evolveTo put this into perspective there were 80,642 vulnerabilities published to the National Vulnerability Database (NVD) between 2010 to 2019 (2010 was chosen as a start date because the oldest CVE we observed being used in the wild by ransomware was from 2010).

Ransomware Risk-Based Funnel

As part of our research and platform capabilities, we progressively focus on the vulnerabilities that have been weaponized, then those vulnerabilities that enable remote code execution (RCE) or privilege escalation (PE), and lastly the trending vulnerabilities that have active exploits in the wild.. For the 2010 to 2019 time range 9,092 vulnerabilities were weaponized, 2,175 enabled RCE or PE, and 372 were trending.

Of note, 100% of the ransomware vulnerabilities that we identified being used by enterprise ransomware either enabled RCE or PE. The fact that all the ransomware vulnerabilities fell into this category is a great reminder of why it is important to focus on these particular vulnerability traits. Then for the 372 trending vulnerabilities, we further focused on the 49 CVEs that were tied to ransomware in our dataset. This provides a far more manageable set of CVEs that organizations can use to prioritize their patching efforts.

This is just an overview of the information that you will find in the full Spotlight Report along with detailed lists of CVEs that apply to each finding. We encourage you to review the full report, and look forward to answering any questions about the report or ransomware-based vulnerability management in general.