Spotlight Report Ransomware.v7 - RiskSense€¦ · ransomware as they emerge. While this report...

Through the Lens of Threat and Vulnerability Management

EnterpriseRansomware

S P O T L I G H T

Ransomware remains one of the most damaging cyber threats facing organizations today. Unlike other threats, ransomware’s main goal is to maximize the business and operational pain to the victim enterprise – namely by freezing its data and ability to function. This makes any organization or industry a potential target of ransomware – attackers don’t need data to be valuable for resale onthe black market, it only needs to be valuable to thevictim. And whether due to lost data or the costs ofdowntime and cleanup, the actual damage and loss of aransomware attack are almost always much higher thanthe cost of the ransom itself. The stakes for enterpriseshave been raised even further as insurance claims relatedto ransomware attacks have recently been denied basedon the attribution of an attack.

Defending against such attacks is a top priority for enterprise security teams. This typically includes addressing weaknesses and vulnerabilities that ransomware attacks use, adding detection and response tools, and establishing data backup and recovery plans. However, the only way to truly prevent ransomware damage is to stop the attack before assets are affected and damage is done. Vulnerability management plays a critical role in this area.

Unfortunately, vulnerability management has become one of the most challenging tasks for security and IT teams, who typically have far more vulnerabilities than they could ever hope to patch. To keep pace, teams need to prioritize vulnerabilities based on real-world context such as whether vulnerabilities have been weaponized, their impact to the enterprise, and whether they have active exploits trending in the wild.

This report applies this approach specifically to the problem of ransomware by analyzing the top enterprise

ransomware families and the specific vulnerabilities that they target. The goal is to provide actionable insight, trends, and analysis into some of the vulnerabilities and weaknesses most heavily used by ransomware. At a high level, this analysis includes:

• Key traits of vulnerabilities (CVEs) used byenterprise ransomware, highlighting those thatcould easily be overlooked.

• How vulnerabilities map to specific ransomwarefamilies, highlighting those used by multiplefamilies.

• Which vendors and assets are most targeted byenterprise ransomware for their impact.

• Additionally, we highlight the vulnerabilities thatare being used in active ransomware campaigns or“trending” in the wild based on RiskSense research.This focus on trending vulnerabilities allowsorganizations to focus on the CVEs with thegreatest real-world impact.

For each key finding in the report, we have included a list of relevant vulnerabilities (CVEs) that security and IT teams can leverage in their patch management practice to proactively minimize exposure. Likewise, we provide best practices and guidance that can help to identify and prioritize vulnerabilities with similar traits used by ransomware as they emerge. While this report focuses heavily on specific CVEs, it is important to note that ransomware often targets weaknesses such as improperly secured or exposed services such as SMB and RDP. In addition to analyzing the CVEs tied to these protocols, we have included best practices for reducing their exposure to attack.

Page 1 Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management

Executive Summary

RiskSense Spotlight Report • August 2019

Key Findings


Enterprise Ransomware Hunts High-Value Assets63% (36 out of 57) of the CVEs analyzed were tied to high-value enterprise assets such as servers, application servers, and collaboration tools. 31 of these CVEs were trending in the wild in 2018 or 2019. This notably included versions of Windows Server (5), Oracle JRE and WebLogic Server (5), RedHat’s JBOSS application servers (4), Apache Struts and Tomcat (3), Spring Data (1), Atlassian’s Confluence (1), and Elasticsearch (1). Targeting these and other critical assets allows attackers to maximize business disruption to the victim’s operations and thereby demand higher ransoms. Enterprise ransomware is targeted and focused and it is not as random or opportunistic as small business or consumer-focused ransomware.

The ‘Eternal’ Exploits Remain EternalThe MS17-010 vulnerabilities, first popularized by the EternalBlue exploit and the WannaCry ransomware, continue to be popular with multiple families of ransomware today including Ryuk, SamSam, and Satan ransomware. These wormable vulnerabilities allow attackers to quickly spread from host to host throughout the network. The fact that these vulnerabilities continue to trend in the wild and are used by even the most recent and costliest families of ransomware are clear signs that many organizations still have not patched these important vulnerabilities.

Older Vulnerabilities Causing Big Problems in the WildWhile many organizations often focus on new vulnerabilities, our analysis shows that vulnerabilities from as far back as 2010 continue to be trending with ransomware in the wild. In total, 31.5% of the analyzed vulnerabilities were from 2015 or earlier (18 out of 57), and 16 of those vulnerabilities continue to be trending in 2018 or 2019. Ransomware targeting these vulnerabilities included Gandcrab, SamSam, and the recent Sodinokibi families of ransomware.

100% of the Vulnerabilities Analyzed Enable Remote Code Execution or Privilege EscalationAll of the vulnerabilities analyzed in the dataset either enabled remote code execution (RCE) or privilege

escalation (PE). These traits continue to be highly strategic for attackers and likewise can serve as important attributes for security teams when prioritizing their patching efforts. The very strong correlation with ransomware should further underline the importance of tracking these traits as part of a risk-based vulnerability management program.

Low CVSS Scores Can Carry High Risk 52.6% (30 out of 57) of the ransomware vulnerabilities had a CVSS v2 score lower than 8. Of those, 24 of the vulnerabilities were trending in the wild, and included vendors such as RedHat, Microsoft, Apache, and Oracle. Surprisingly, trending ransomware vulnerabilities had scored as low as 2.6. As a result, organizations that use CVSS scores as their exclusive means to prioritize vulnerabilities for patching will very likely miss important vulnerabilities that are used by ransomware.

Some Vulnerabilities Are Repeat OffendersOur analysis showed that some vulnerabilities had a broader reach than others. 15 vulnerabilities were found that were targeted by multiple families of enterprise ransomware. Additionally, since technology is often reused in multiple products, vulnerabilities often impact more than one vendor. We identified 17 trending vulnerabilities with active exploits in the wild which affected more than one technology vendor.

The Ransomware Top 10Bringing together the various perspectives in the report, we identified a list of 10 vulnerabilities to provide that organizations with a starting point for can leverage to begin their ransomware-focused patching efforts. This list includes:

• 4 vulnerabilities that are both targeted bymultiple families of ransomware and also impactmultiple vendors.

• 9 of the vulnerabilities affect servers.

• 4 are from 2015 or earlier and 2 have a CVSSscore of 5 or less, which could lead to thembeing overlooked.


The information in this report is based on data gathered from a variety of sources including RiskSense proprietary data, publicly available threat databases, as well as RiskSense threat researchers and penetration testers. The overarching goal of this report is to provide a manageable list of CVEs and best practices that address the top families of enterprise ransomware. We hope this can serve as a starting point for organizations who want to take a ransomware-based approach to patching within their vulnerability management program to secure their enterprise and reduce their attack surface. Put simply, most organizations are inundated with more vulnerabilities than they can patch, so we wanted to provide a shortlist of vulnerabilities that focuses on the most damaging ransomware threats.

We focused on the top ransomware families that are known to target enterprises and government organizations as opposed to individuals and identified a set of 57 vulnerabilities that are heavily tied to ransomware threats in these organizations. Next, we identified the most common vectors and vulnerabilities related to ransomware in order to find trends and insights that can help organizations better protect their networks and assets. We also analyzed the dataset to identify

vulnerabilities that were “trending” in either 2018 or 2019. Trending is defined by RiskSense as vulnerabilities that are being actively abused by attackers in the wild. These connections are established by internal RiskSense research, monitoring of hacker forums, Twitter feeds as well as analysis of 3rd party threat intelligence sources.

Additionally, ransomware can often be a secondary payload following a successful exploit and initial malware infection. For example, the Rig exploit has been used to deliver a variety of families of ransomware. For our analysis, we included relevant vulnerabilities for cases where there is a documented link between a particular exploit kit and a ransomware campaign.

However, we intentionally focused on the top enterprise ransomware families and do not claim that this is an exhaustive list of all vulnerabilities related to ransomware. Furthermore, malware campaigns can evolve and adopt different exploits or exploit kits over time. As a result, organizations are encouraged to use this report as a point in time analysis and then apply an ongoing risk-based approach to ransomware that prioritizes vulnerabilities that have been weaponized and are trending in the wild in malware and exploit kits.


Report Methodology

57vulnerabilities Identified that are heavily tied to ransomware threats

$


Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management

Executive Summary

Key Findings

Report Methodology

The Enterprise Era of Ransomware

Key Vulnerability Metrics and Risk Factors

A Risk-Based View of Ransomware Vulnerabilities

Analysis of CVSS Scores and Severities

Older Vulnerabilities Are Still Trending

Vulnerabilities by Ransomware Family

Malware Families with the Most Vulnerabilities

Vulnerabilities Shared Across Malware Families

Vulnerabilities by Vendor and Product


Vulnerabilities Affecting Servers and Applications

Vulnerabilities Impacting Additional Products

Wormable Vulnerabilities in SMB and RDP

SMB and the ‘Eternal’ Exploits (MS17-010)

RDP and BlueKeep (CVE-2019-0708)

Reducing the SMB and RDP Attack Surface

The Ransomware Top 10

Summary

1

2

3

5

6

6

7

8

10

10

11

12

12

14

15

17

17

18

18

19

20

Table of Contents


This section briefly covers the recent evolution of ransomware, and specifically how it has evolved to target enterprises and the impact of those attacks.

While ransomware has been around for several years, it shot to the forefront of security concerns in 2017 with the release of WannaCry, which quickly affected more than 200,000 victims. WannaCry made use of the EternalBlue exploit related to MS17-010 (CVE-2017-0144). As we will see later in the report, this and the related MS17-010 vulnerabilities continue to play a major role in ransomware attacks today. While WannaCry only netted around $100,000 for the attackers, it was estimated to cause $1 Billion in damages.

While the overall volume of attacks began to drop in 2018, the impact on enterprises has continued to rise. Unlike the opportunistic approach of consumer ransomware, enterprise ransomware has shifted to far more targeted, higher impact malicious attacks that drive higher ransom demands. While ransomware costs in 2017 were estimated at $5 Billion total, the estimates have risen to $11.5 Billion in 2019 even as the overall volume of ransomware attacks has declined. In fact, virtually all of the metrics related to ransomware impact appear to be on the rise according to recent 2019 data from Coveware. The average ransom demands nearly doubled with the rise of more targeted ransomware such as Ryuk, SamSam, and Sodinokibi.

Likewise, between Q4 2018 and Q1 2019, the average downtime from a ransomware attack increased from 6.2 to 7.5 days as ransomware evolved to target backups and encrypt application configuration files.

The ability to drive higher ransoms while also causing greater disruption are direct indicators of the pain these attacks can cause organizations due to downtime, lost employee productivity, lost sales, as well as incident response and recovery costs. As an example, the City of Atlanta was hit by SamSam in 2018, and the final costs are estimated to be in the range of $17 million. Likewise, in May 2019 the City of Baltimore suffered a Robinhood ransomware attack, which is estimated to cost $13 million. Worse still, in some cases, insurance companies are refusing to pay claims related to ransomware attacks based on attack attribution.

These factors pose a staggering amount of financial and operational risk for any organization. While individual attacks vary and malware will continue to evolve, ransomware attacks are predicated on causing significant organizational damage and disruption. Enterprise-focused ransomware continues to evolve, and this alone ensures that ransomware will remain a top concern for the foreseeable future.


The Enterprise Era of Ransomware

$5 Billion $11.5 Billion

2017

2019

130% INCREASE

Global Ransomware Damage Costs


https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

https://www.csoonline.com/article/3197582/ransomware-damages-rise-15x-in-2-years-to-hit-5-billion-in-2017.html

https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/

https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/

https://www.coveware.com/blog/2019/4/15/ransom-amounts-rise-90-in-q1-as-ryuk-ransomware-increases

https://www.ajc.com/news/confidential-report-atlanta-cyber-attack-could-hit-million/GAljmndAF3EQdVWlMcXS0K/

https://www.engadget.com/2019/06/06/baltimore-ransomware-18-million-damages/

https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html

https://www.nytimes.com/2019/04/15/technology/cyberinsurance-notpetya-attack.html

Key Vulnerability Metrics and Risk Factors


In this section, we analyze 57 vulnerabilities across a variety of risk metrics in order to highlight areas where important ransomware vulnerabilities could easily fly under the radar, while also providing a model for prioritizing vulnerabilities going forward.

A Risk-Based View of Ransomware VulnerabilitiesIn order to intelligently prioritize vulnerabilities, we need to know real-world, threat-based information as well as data about the vulnerability itself. For example, the vast majority of vulnerabilities are never weaponized, meaning that there are no exploits to take advantage of the vulnerability. Many of those that are weaponized are not used in actual attacks or malware campaigns. In practice, three high-level metrics are often very powerful for honing in on the most important vulnerabilities. These are:

• Weaponized Vulnerabilities – Vulnerabilities which have associated exploit code capable of taking advantage of the vulnerability.

• Strategic Vulnerabilities – Vulnerabilities that allow remote code execution (RCE) or privilege escalation (PE) are highly valuable to attackers and significantly increase the risk of damage to a victim organization.

• Trending Vulnerabilities – These are vulnerabilities that are actively being used in the wild in attacks and malware based on RiskSense research and correlation with 3rd party sources. In this report, we then further refined the list by honing in on the trending vulnerabilities that are used by enterprise ransomware.

The vulnerabilities analyzed in this report range from 2010 to 2019. If we look at all the CVEs released in this time range, we can demonstrate how using the above metrics provides a straightforward, yet powerful model to prioritize vulnerabilities.

These metrics prove to be particularly valuable when prioritizing vulnerabilities to minimize ransomware. Of course, by definition all vulnerabilities used by ransomware have been weaponized. However, it is worth noting that all vulnerabilities in the data set either enabled remote code execution or privilege escalation, and 49 of the 57 were trending in the wild in 2018 or 2019. This underscores the importance of tracking RCE/PE-capable vulnerabilities. Additionally, we will highlight trending CVEs throughout the report to focus on the vulnerabilities that pose the most immediate, real-world danger.

CVEs From 2010 to 2019

80,6429,092

2,175Vulnerabilities

372

RCE/PEWeaponized CVE

Total CVE Count

CVEs That Matter

Trending

49

Start Here

TrendingEnterprise Ransomware

Key Metrics for Ransomware Vulnerabilities

57/57

57/57

49/57 8

Weaponized

RCE/PE

Trending



Key Vulnerability Metrics and Risk Factors (Continued)

0

5

10

15

20

CVE

Coun

tCV

E Co

unt

Score Range

Score Range

9-10 108-97-86-75-64-53-42-31-20-1

0

2

4

6

8

10

12

9-10 108-97-86-75-64-53-42-31-20-1

Analysis of CVSS Scores and SeveritiesOur analysis shows that while CVSS scores can provide a good start, organizations can easily miss ransomware-related CVEs by relying solely on these scores. We analyzed the dataset both by CVSS v2 and CVSS v3 scores. Since CVSS v3 wasn’t implemented until late 2015, only 40 of the 57 vulnerabilities have CVSS v3 scores.

First, analyzing by CVSS Severity, we see that not all trending vulnerabilities are in the “High” or “Critical” categories. For CVSS v2, there were 8 trending vulnerabilities that had a severity rating lower than High, while for CVSS v3, there were 22 vulnerabilities that were lower than Critical.

CVSS v2 Categories

CVSS v2 Scores

CVSS v3 Scores

Low

Med

ium

Hig

h 41

6

7

1

2

Non-TrendingTrending

Non-Trending Trending


CVSS v3 Categories

Low

Med

ium

Hig

hCr

itica

l

12

20

3

2

2

1

This same issue persists if we break out the data set by specific CVSS scores. The important point is that patching only vulnerabilities based on a particular CVSS score can leave an organization needlessly exposed to ransomware.

For CVSS v2, 52.6% (30/57) of the vulnerabilities had a score less than 8. This held true for trending vulnerabilities as well with 49.0% (24/49) of the trending CVEs scoring below 8. This included CVEs used by a variety of ransomware families including SamSam, Gandcrab, and Ryuk.

Vulnerabilities with a CVSS v3 score fared somewhat better but remained far from ideal. 37.5% (15/40) of vulnerabilities were 8 or below, while 38.2% (13/34) of trending vulnerabilities scored below 8.

This analysis underscores that organizations should supplement CVSS scores with additional threat-focused metrics such as RCE/PE capability and trending states. We have included the table below to highlight trending CVEs with CVSS v2 and v3 scores that are below 8, as they could easily be overlooked based on their score. Again, we have chosen a score of 8 as an arbitrary cutoff for this list, but organizations are encouraged to always analyze vulnerabilities in a full threat-based context.


52.6% 49% 37.5%

CVSS v2 CVSS v3

38.2%< 8 < 8

> 8

< 8

> 8

< 8

> 8> 8




Trending CVEs with Low Scores

CVE-2010-0738

CVE-2010-1428

CVE-2012-0874

CVE-2015-1427

CVE-2015-1701

CVE-2016-0189

CVE-2016-3088

CVE-2016-3298

CVE-2016-7200

CVE-2016-7201

CVE-2017-0147

CVE-2017-10271

CVE-2017-12149

CVE-2017-12615

CVE-2017-8046

CVE-2018-1273

CVE-2018-20250

CVE-2018-2894

CVE-2018-4878

CVE-2018-8120

CVE-2018-8174

CVE-2018-8440

CVE-2018-8453

CVE-2019-2725

CVE CVSS v2 CVSS v3

na

na

na

na

na

7.5

9.8

5.3

7.5

7.5

5.9

7.5

9.8

8.1

9.8

9.8

7.8

9.8

9.8

7

7.5

7.8

7.8

9.8

5

5

6.8

7.5

7.2

7.6

7.5

2.6

7.6

7.6

4.3

5

7.5

6.8

7.5

7.5

6.8

7.5

7.5

7.2

7.6

7.2

7.2

7.5

Name

JBOSS_Application_Server

JBOSS_Enterprise_Application_Platform

JBOSS_Enterprise_Web_Platform

Elasticsearch

Microsoft Windows

Microsoft Jscript

Apache ActiveMQ

Microsoft Windows

Microsoft Edge

Microsoft Edge

Microsoft SMB

Oracle WebLogic_Server

Microsoft SMB

Apache Tomcat

Spring_Data_REST

Spring_Data_Commons

Rarlab WinRAR

Oracle Weblogic_Server

RedHat Enterprise_Linux

Microsoft Windows

Microsoft Windows

Microsoft Windows

Microsoft Windows


Older Vulnerabilities Are Still TrendingOur analysis shows that older vulnerabilities from as far back as 2010 continue to be actively used in ransomware campaigns today. Overall, 18 of the 57 vulnerabilities analyzed were from 2015 or earlier. Of those 18 vulnerabilities, 16 were still trending in 2018 or 2019. While organizations are often in a rush to patch the latest vulnerabilities, this should serve as a reminder that older weaponized and trending vulnerabilities can actually pose the greatest risk.




Ransomware Vulnerabilities by Year

2007 2010 2011 2012 2013 2014 2015 2016 2017 2018 20192008 2009

1 0 0 1 0 0 0 2 3 0 10 0

0 2 0 3 3 1 7 8 13 10 20 0

0

5

10

15

Non-TrendingTrending

CVE-2010-1428

CVE-2012-0507

CVE-2012-0874

CVE-2012-1723

CVE-2013-0074

CVE-2013-2551

CVE-2013-4810

CVE-2014-6332

CVE-2015-1427

CVE-2015-1641

CVE-2015-1701

CVE-2015-2419

CVE-2015-5122

CVE-2015-7645

CVE-2015-8651

CVE Vendor

Red Hat

Oracle

Red Hat

Oracle

Microsoft

Microsoft

HP

Microsoft

Elastic

Microsoft

Microsoft

Microsoft

Adobe

Adobe

Adobe


Oracle JRE


Oracle JRE

Microsoft Silverlight

Microsoft IE

HP Procurve_Manager

Microsoft Windows

Elasticsearch

Microsoft Office

Microsoft Windows

Microsoft IE

Adobe Flash_Player

Adobe Flash_Player

Adobe Flash_Player

Product

We have included the following list of CVEs to help prioritize older CVEs trending in the wild during 2018 or 2019.

Summary and Recommendations

Relevant CVEs

Recommendations

• List of older vulnerabilities trending in the wild

• List of vulnerabilities with lower CVSS scores trending in the wild

Apply a risk-based approach to prioritizing vulnerabilities that includes weaponization, RCE/PE capabilities, and trending intelligence.



Vulnerabilities by Ransomware Family

Next, we analyzed the dataset based on the families of ransomware that target each vulnerability. This gives additional insight into how the respective malware families use vulnerabilities throughout the course of a ransomware attack. For example, even if an attack begins via a phishing email, the attacker may use vulnerabilities to spread laterally within a victim organization or to target high-value servers. Next, we were able to identify priority vulnerabilities that were used by multiple families of ransomware.

Malware Families with the Most VulnerabilitiesSome of the most popular and well-established malware families also happened to leverage the largest overall

number of vulnerabilities. Cerber was found to be the most flexible, using a total of 17 vulnerabilities, 16 of which are trending. Gandcrab was next with 11 vulnerabilities, 9 trending. Both the SamSam and Satan malware tied with 9 vulnerabilities, all of which were trending. PrincessLocker, which runs as a Ransomware-as-a-Service campaign and is tightly associated with the RIG exploit kit had 7 vulnerabilities.

Close behind were two of the newer and more dangerous entrants to the ransomware field – Ryuk and Sodinokibi. These two families have been growing in popularity in 2019 and are notable for targeting enterprises and demanding unusually high ransoms (Coveware).

Non-Trending

Trending

Xbash

Troldesh

Sodinokibi

Satan

SamSam

Ryuk

Princess Locker

Petya

Megacortex

Locky

Lockergoga

Katyusha

JNEC

Gimemo

GandCrab

Cerber

BadRabbit 4

4

4

5

5

7

2

16 1

1

1

1

1

1

1

1

9

9

9

2

Vulnerabilities by Malware Family


https://www.coveware.com/blog/2019/7/15/ransomware-amounts-rise-3x-in-q2-as-ryuk-amp-sodinokibi-spread

Vulnerabilities by Ransomware Family (Continued)


Vulnerabilities Shared Across Ransomware FamiliesNext, we looked to see which vulnerabilities were used by multiple families. Knowing that a particular vulnerability is not only trending in the wild but is also a common target across multiple ransomware families can further help organizations prioritize their patching efforts. The table below shows the vulnerabilities associated with multiple families along with the vulnerable component and risk score.

This confluence of ransomware families also highlights a series of SMB vulnerabilities ranging from CVE-2017-0143 to CVE-2017-0147. These are the MS17-010 vulnerabilities that were originally made infamous by the WannaCry ransomware. These vulnerabilities continue to

be very popular today and are heavily used by multiple families including the recent Ryuk malware to move laterally and infect additional hosts in the network. Additionally, the list includes examples of older vulnerabilities as well as some with low CVSS scores.


Relevant CVEs Families Vulnerable Element CVSS v2

CVE-2010-0738

CVE-2012-0507

CVE-2012-1723

CVE-2013-0074

CVE-2015-8651

CVE-2016-0189

CVE-2016-1019

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-10271

CVE-2019-2725

CVE-2019-3396

SamSam, Satan

GandCrab, Sodinokibi, Princess Locker, Cerber

Cerber, Locky

GandCrab, Sodinokibi, Princess Locker, Cerber

Cerber, Princess Locker

Cerber, Princess Locker

Locky, Cerber

BadRabbit, Katyusha, Ryuk, SamSam

Satan, Ryuk




Satan, Gandcrab

Cerber, Sodinokibi

Gandcrab, Lockergoga, Megacortex


Sun/Oracle JRE

Sun/Oracle JRE

Microsoft Silverlight

Adobe Flash_Player

Microsoft Jscript

Adobe Flash_Player

SMB

SMB

SMB

SMB

SMB


Oracle Fusion_Middleware

Atlassian Confluence

5

10

10

9.3

9.3

7.6

10

9.3

9.3

9.3

9.3

4.3

5

7.5

10

Relevant CVEs

Recommendations

List of trending vulnerabilities used by multiple families of ransomware

Prioritize patching of vulnerabilities that are used by multiple families of ransomware




Next, we take an asset-centric view of ransomware by looking at the systems, applications, and resources that are being targeted. While Microsoft and Adobe vulnerabilities have long been favorite targets for exploits and malware, our data shows a variety of vendors and products being targeted. Many of the trending vulnerabilities targeted components within high-value systems including critical components within servers.

Vulnerabilities by Vendor and ProductThe 57 vulnerabilities in the report are spread across 12 vendors, which likewise were tied to 33 different products. Microsoft had by far the most vulnerabilities with 27, followed by RedHat (6), Adobe (5), Oracle (5), and Apache (4).

It is important to note that ransomware is targeting the application layer in addition to traditional infrastructure. This means that organizations will need to include Application Security and Open Source Security as part of their vulnerability management strategy. We have summarized some of the key findings for top vendors as follows:

Microsoft – At the application level, Microsoft vulnerabilities were spread across Windows, Edge and Explorer, and Microsoft Office. However, the often-overlooked SMB vulnerabilities are also attributed to Microsoft and were targeted by a variety of families. Likewise, Microsoft Silverlight was targeted by several families including GandCrab, Princess Locker, Cerber, and the recently surging Sodinokibi ransomware. Of the 8 Windows vulnerabilities, 6 were relevant to versions of Windows Server.

RedHat – The RedHat vulnerabilities were primarily tied to the JBOSS application server and its components. Particularly targeted by SamSam and Satan ransomware, these vulnerabilities are important for multiple reasons –

the systems are high-value targets that can warrant steep ransoms, and they are externally facing and exploitable, making them ideal initial infection vectors that can be used to spread ransomware more broadly.

Adobe – The Adobe vulnerabilities were all tied to the Adobe Flash Player. These vulnerabilities were strongly tied to Cerber except for the most recent vulnerability (CVE-2018-15982), which was used by Gandcrab.

Oracle – Oracle had 5 vulnerabilities but all were significant. Two were tied to the Oracle JRE, which can affect a wide variety of other products. These were targeted by a variety of ransomware including GandCrab, Sodinokibi, Princess Locker, Cerber, and Locky. Oracle WebLogic Server was another major target with multiple vulnerabilities targeted by Satan, Gandcrab, Cerber, and Sodinokibi.

Apache – Apache vulnerabilities were tied to Apache Struts, Tomcat, and Apache Active MQ. Much like the JBOSS vulnerabilities, the Apache vulnerabilities provide ideal initial infection vectors and also naturally provide attackers with access to extremely high value servers. These assets were targeted by Gandcrab, Cerber, Satan, and Xbash ransomware.

Pivotal – Pivotal software’s three vulnerabilities were alltied to the Spring Data Framework. These vulnerabilitieswere primarily targeted by Satan ransomware. Like many

of the examples above, these vulnerabilities allow an attacker to focus on high-value applications and servers within an organization.

Atlassian – While Atlassian only had one trendingvulnerability against Confluence, it was targeted by several families including Gandcrab, Lockergoga, and Megacortex. Also, Confluence deployments typically represent a highly valuable enterprise data store which would be particularly painful to an organization if it became unavailable.

Total57 Vulns

Adobe 5

Apache 4

Atlassian 2

ConnectWise 1Elastic 1

HP 2

Microsoft 27

Oracle 5

Pivotal Software 2

Rarlab 1

RedHat 6

Samba 1

57



Vulnerabilities by Vendor and Product (Continued)

It is important to note that ransomware is targeting the application layer in addition to traditional infrastructure. This means that organizations will need to include Application Security and Open Source Security as part of their vulnerability management strategy. We have summarized some of the key findings for top vendors as follows:

Microsoft – At the application level, Microsoftvulnerabilities were spread across Windows, Edge and Explorer, and Microsoft Office. However, the often-overlooked SMB vulnerabilities are also attributed to Microsoft and were targeted by a variety of families. Likewise, Microsoft Silverlight was targeted by several families including GandCrab, Princess Locker, Cerber, and the recently surging Sodinokibi ransomware. Of the 8Windows vulnerabilities, 6 were relevant to versions of Windows Server.

RedHat – The RedHat vulnerabilities were primarily tied to the JBOSS application server and its components. Particularly targeted by SamSam and Satan ransomware, these vulnerabilities are important for multiple reasons –

the systems are high-value targets that can warrant steep ransoms, and they are externally facing and exploitable, making them ideal initial infection vectors that can be used to spread ransomware more broadly.

Adobe – The Adobe vulnerabilities were all tied to theAdobe Flash Player. These vulnerabilities were strongly tied to Cerber except for the most recent vulnerability (CVE-2018-15982), which was used by Gandcrab.

Oracle – Oracle had 5 vulnerabilities but all were significant. Two were tied to the Oracle JRE, which can affect a wide variety of other products. These were targeted by a variety of ransomware including GandCrab, Sodinokibi, Princess Locker, Cerber, and Locky. Oracle WebLogic Server was another major target with multiple vulnerabilities targeted by Satan, Gandcrab, Cerber, and Sodinokibi.

Apache – Apache vulnerabilities were tied to Apache Struts, Tomcat, and Apache Active MQ. Much like the JBOSS vulnerabilities, the Apache vulnerabilities provide ideal initial infection vectors and also naturally provide attackers with access to extremely high value servers. These assets were targeted by Gandcrab, Cerber, Satan, and Xbash ransomware.

Pivotal – Pivotal software’s three vulnerabilities were all tied to the Spring Data Framework. These vulnerabilities were primarily targeted by Satan ransomware. Like many

of the examples above, these vulnerabilities allow an attacker to focus on high-value applications and servers within an organization.

Atlassian – While Atlassian only had one trending vulnerability against Confluence, it was targeted by several families including Gandcrab, Lockergoga, and Megacortex. Also, Confluence deployments typically represent a highly valuable enterprise data store which would be particularly painful to an organization if it became unavailable.

Total57 Vulns

Adobe 6

Apache 4

Atlassian 2ConnectWise

Elastic

HP 4

Microsoft 27

Oracle 5

Pivotal Software 3

Rarlab

RedHat 9

Samba

Adobe Flash_Player6

Apache ActiveMQ

Apache Struts2

Apache Tomcat

Atlassian Confluence2

Connectwise ManagedITSyncElasticsearchHP Application_Lifecycle_ManagementHP Identity_Driven_ManagerHP integrated_lights-out_firmwareHP Procurve_Manager

JBOSS_Application_Server3

JBOSS_brms_platform

JBOSS_Enterprise_Application_Platform2

JBOSS_Enterprise_Web_PlatformJBOSS_SOA_Platform

Microsoft Edge3

Microsoft Explorer3

Microsoft Jscript

Microsoft Office3

Microsoft Office

Microsoft Silverlight2

Microsoft Windows8


Oracle WebLogic_Server2

Rarlab WinRARRedHat Enterprise_LinuxSamba_

SMB6

Spring_BootSpring_Data_CommonsSpring_Data_REST

Sun/Oracle JRE

57

1111

2

11111111111111111111


Vulnerabilities Affecting Servers and ApplicationsIn total, 36 of the 57 vulnerabilities (63%) used by ransomware directly target servers or other critical enterprise assets. 31 of these vulnerabilities were trending in 2018 or 2019. This focus on high-value assets makes sense as attackers who intend to charge high ransoms will want to target high-value assets.

However, this should serve as a particularly stark reminder for security teams and patch management. These high-value assets may be some of the more challenging to patch due to managing change windows and are often not supported by automatic updates. However, these are the same assets that if compromised can cause the most disruption to the enterprise, and as a result are being actively targeted by ransomware. The table below consolidates the list of vulnerabilities that would most commonly affect servers and applications.

Note that we only included vulnerabilities that were directly tied to servers and applications, and where the attacking behavior applied to typical server use cases. For example, we did not include Flash vulnerabilities or other vulnerabilities that require the victim to visit or interact with a malicious page through a browser. While a server could contain this vulnerability, it does not apply to a common server use case.



Source ProductVulnerability ID

CVE-2010-0738

CVE-2010-1428

CVE-2012-0507

CVE-2012-0874

CVE-2012-0874

CVE-2012-0874

CVE-2012-0874

CVE-2012-1723

CVE-2013-4810

CVE-2013-4810

CVE-2013-4810

CVE-2014-6332

CVE-2015-1427

CVE-2015-1701

CVE-2016-0189

CVE-2016-3088

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

CVE-2017-10271

CVE-2017-12149

CVE-2017-12615

CVE-2017-5638

CVE-2017-8046

CVE-2017-8046

CVE-2018-11776

CVE-2018-1273

CVE-2018-2894

CVE-2018-4878

CVE-2018-8120

CVE-2018-8440

CVE-2018-8453

CVE-2019-2725

CVE-2019-3396



Sun/Oracle JRE



JBOSS_brms_platform

JBOSS_SOA_Platform

Sun/Oracle JRE

HP Procurve_Manager

HP Identity_Driven_Manager

HP Application_Lifecycle_Management

Windows Server

Elasticsearch

Windows Server

Microsoft Jscript

Apache ActiveMQ

Microsoft SMB

Microsoft SMB

Microsoft SMB

Microsoft SMB

Microsoft SMB

Microsoft SMB



Apache Tomcat

Apache Struts

Spring_Data_REST

Spring_Boot

Apache Struts

Spring_Data_Commons



Windows Server

Windows Server

Windows Server


Atlassian Confluence


Vulnerabilities Impacting Additional ProductsOur analysis found 19 CVEs overall and 17 trending CVEs that had a downstream impact on other technology vendors. It is important to remember that vulnerabilities can impact other vendors and products that reuse or include the vulnerable component. For example, the Oracle JRE is used in a variety of other products, which would likewise need to be patched. This can give certain vulnerabilities an unexpected breadth within an organization that can be easy to miss.

To get a better view of this issue, we further analyzed Common Platform Enumeration (CPE) data to identify

vulnerabilities that affect additional vendors. A vulnerability in Samba affected the most vendors, however it should be noted that the particular CVE is not currently trending in the wild. However, the Oracle JRE vulnerabilities impacted 12 additional vendors and a wide variety of individual products. Likewise, Apache Tomcat and the various RedHat vulnerabilities had a notably large reach. The remote exploitability of these vulnerabilities and their ability to directly target servers and applications should make them priorities for patching. The table below summarizes the CVEs that had a downstream impact on other vendors.



ADOBE

CVE-2016-2118

15CVE-2012-1723

13CVE-2015-7645

6CVE-2015-8651

6CVE-2016-4117

6

CVE-2016-1019

6CVE-2015-5122

5

CVE-2018-4878

5

CVE-2007-1036

5CVE-2013-0874

4

CVE-2012-4810

4

CVE-2010-0738

3

CVE-2010-1428

2

CVE-2015-1427

2

CVE-2018-11776

2

CVE-2017-5638

2

CVE-2018-15982

3

CVE-2017-12615

9

CVE-2012-0507

12


ORACLE

Adobe Flash_

Player

Samba

Sun/Oracle JRE

SAMBA

HPHP Procurve_Manager

APACHE

ELAS

TIC

Apache Tomcat • Apache Struts

Elas

ticse

arch




JBOSS_Enterprise_W

eb_Platform

REDHAT

15 products impacted by CVE-2016-2118AmazonCanonicalCentosDebianF5

FedoraprojectFermilabFreebsdGentooHuawei

NovellOracleRedHatSambaSlackware

3.&

,-$4"

2&)

*0,

&-"

'(

&5&

6",

&7&

18(

&77

)(

&2)

&**

9&,

1&,",

91&

)

1(,2

"*

19*1

"

1",,(

12#9

*(

-('9&

,

()&*2

91*(

&.1

8:; :(-

".&7.

"<(1

2

:(.59

)&'

:.(('*

-

=(,2

""

=""=

)(

87 80&

#(9

<'"*

*

<0,9

7(.

5&,-.

9>&

591.

"*":

2

,">())

".&1)

(

*&5'

&

12 products impacted byCVE-2012-0507




CVE-2016-8651CVE-2016-1019CVE-2016-4117


AdobeFreebsdGentooGoogleNovellRedHat

AdobeFreebsdRedHat

AdobeGentooGoogleNovellRedHat

SunAmazonAppleCanonicalCentosDebianFermilab

GentooMandrivaNovellOracleRedHatVmware

SunAppleCanonicalCentosDebianGentoo

NovellOracleRedHatSuseUbuntuVmware



HPJuniperRedHat

4 products impacted by CVE-2012-0874


AdobeFreebsdGentooGoogleRedHat

ElasticsearchFreebsd


2 products impacted by CVE-2018-11776 2 products impacted by CVE-2017-5638ApacheCisco

ApacheOracle

ApacheCentosFedoraprojectFermilabFreebsd

HuaweiOracleRedhatVirtuozzo


CiscoHpJbossRedhatSymantec


HpJbossRedhatSymantec


JuniperRedHat

HpJbossRedhatSymantec





• List of trending vulnerabilities targeting servers and applications

• Vulnerabilities affecting additional vendorsRelevant CVEs

Recommendations • Prioritize vulnerabilities that can target servers and applications• Be aware of vulnerabilities that can impact additional vendors and products

Vendor Product

Tren

ding

Sun

Ado

be

amaz

on

apac

he

appl

e

cano

nica

l

cent

os

cisc

o

debi

an

elas

ticse

arch

f5

fedo

rapr

ojec

t

ferm

ilab

free

bsd

gent

oo

goog

le

hp

huaw

ei

jbos

s

juni

per

man

driv

a

nove

ll

orac

le

redh

at

Sam

ba

slac

kwar

e

suse

sym

ante

c

ubun

tu

virt

uozz

o

vmw

areVulnerability ID

CVE-2016-2118

CVE-2012-1723

CVE-2012-0507

CVE-2017-12615

CVE-2015-7645

CVE-2015-8651

CVE-2016-1019

CVE-2016-4117

CVE-2007-1036

CVE-2015-5122

CVE-2018-4878

CVE-2012-0874

CVE-2013-4810

CVE-2010-0738

CVE-2018-15982

CVE-2010-1428

CVE-2015-1427

CVE-2017-5638

CVE-2018-11776

Samba

Oracle

Oracle

Apache

Adobe

Adobe

Adobe

Adobe

RedHat

Adobe

RedHat

RedHat

HP

RedHat

Adobe

RedHat

Elastic

Apache

Apache

Samba

Sun/Oracle JRE

Sun/Oracle JRE

Apache Tomcat

Adobe Flash_Player

Adobe Flash_Player

Adobe Flash_Player

Adobe Flash_Player


Adobe Flash_Player



HP Procurve_Manager


Adobe Flash_Player


Elasticsearch

Apache Struts

Apache Struts

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Gra

nd T

otal

15

13

12

9

6

6

6

6

5

5

5

4

4

3

3

2

2

2

2

x

x

x

x

x x x x x x

x x x x x x

x x x x x x

x

x

x

x x

xx x

x x x x

x x x

x

x

x x

x x x

x

x x

x

x x

x

x

x

x x

x

x x x x x

x x x x x

x x x x x x x x

x x x x x x x x x x x x

xxxxxxxxx x x

x x x x x x x x x x x x x x



Wormable Vulnerabilities in SMB and RDP

However, in spite of their highly publicized nature and availability of patches, the MS17-010 vulnerabilities persist within enterprise networks and continue to be used by multiple families of ransomware today including Ryuk, SamSam, Satan, BadRabbit, and Katyusha. Ryuk, which is one of the more recent families of ransomware, is notable for demanding very high ransoms of $100,000 or more.

Given the wormable nature of these vulnerabilities and that they remain targets for some of the most recent and damaging malware, organizations should heavily prioritize patching efforts for the following CVEs. Additionally, since

these vulnerabilities are used by ransomware to move laterally and spread within a network, it is important that all vulnerable devices are patched, not just those exposed to the internet.

In addition to the many vulnerabilities analyzed thus far, Server Message Block (SMB) and Remote Desktop Protocol (RDP) have played an incredibly important role in the evolution of ransomware and remain a focal point for attackers today. In this section, we will look at specific vulnerabilities as well as important security best practices for these protocols to reduce the exposure to ransomware.

SMB and the ‘Eternal’ Exploits (MS17-010)In April of 2017, the Shadow Brokers released the now infamous exploit known as EternalBlue, which targeted a vulnerability in SMB. The wormable nature of this vulnerability allowed an attacker to easily spread from host to host, infect additional devices, and move laterally

within a network. In response, Microsoft issued Security Bulletin MS17-010, which cited several vulnerabilities spanning CVE-2017-0143 through CVE-2017-0148. In May of the same year, the WannaCry ransomware outbreak used the EternalBlue exploit against CVE-2017-0144, to spread from host to host within a network. Hundreds of thousands of devices were impacted globally in the attack. The same vulnerability was once again targeted a month later in the June Petya/NotPetya attacks.

Of note, RiskSense researchers were instrumental in high-lighting how additional ‘Eternal’ exploits could be applied to other operating systems and also published the firstopen source scanner for MS17-010 on May 17th of 2017.

CVE Relevant Ransomware Families

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148


Ryuk, Satan




Petya

WannaCryMassive Attack

30 days 27 days

11 12 1 2 3 4 5 6 7

11 12 1 2 3 4 5 6 7

8

8

CVE & Patch ReleasedApril 21, 2017

RiskSense Analysis Warns of a Massive Cyber Attack

3.14.2017 4.14.2017

5.12.2017

3.14.2017 4.14.2017 6.27.2017

Exploit Released

PetyaMassive Attack

45 days

RDP and BlueKeep (CVE-2019-0708)Much like MS17-010, which affects SMB, the recent BlueKeep vulnerability (CVE-2019-0708) represents a wormable vulnerability for RDP. Proof-of-concept code for the vulnerability has been demonstrated, and it is widely anticipated that exploits will eventually be seen in the wild. On 21 May 2019 RiskSense was the first to release an open source scanner for BlueKeep, which quickly found that approximately 1 million devices were exposed and vulnerable.

Additionally, moew wormable RDP vulnerabilities were found affecting the Microsoft Remote Desktop service in August of 2019. This includes CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.

There are two important take-aways from this information. First, organizations should prioritize patching for CVE-2019-0708. Secondly, organizations should not be exposing RDP and SMB externally in the first place.

Reducing the SMB and RDP Attack SurfaceWhile much of the analysis in this paper is focused on specific CVEs related to ransomware, we would be remiss not to underline general security best practices for SMB

and RDP. As a matter of course, neither SMB nor RDP should be exposed to the internet. However, using Shodan we can see that roughly 1.8 million SMB ports are exposed on the internet, and 7.6 million RDP ports are likewise exposed. This basic exposure has been heavily utilized by a variety of ransomware families. The SamSam family of ransomware in particular is well-known for gaining access to networks by simply brute-forcing exposed RDP ports. This means that ransomware will often gain access not by exploiting a CVE, but by finding lapses in basic network security hygiene.

Enterprises should scan their environments and close any exposed SMB or RDP ports. In cases where the organization requires RDP to be exposed, security teams should take strong measures to securing the service including but not limited to:

• Ensure strong password policies• Prioritized patching for related vulnerabilities• Move the service to a non-standard port• Implement a lockout policy after repeated login failures• Implement multi-factor authentication• Implement strict access control rules


https://github.com/RiskSense-Ops/MS17-010


Wormable Vulnerabilities in SMB and RDP (Continued)

However, in spite of their highly publicized nature and availability of patches, the MS17-010 vulnerabilities persist within enterprise networks and continue to be used by multiple families of ransomware today including Ryuk, SamSam, Satan, BadRabbit, and Katyusha. Ryuk, which is one of the more recent families of ransomware, is notable for demanding very high ransoms of $100,000 or more.

Given the wormable nature of these vulnerabilities and that they remain targets for some of the most recent and damaging malware, organizations should heavily prioritize patching efforts for the following CVEs. Additionally, since

these vulnerabilities are used by ransomware to move laterally and spread within a network, it is important that all vulnerable devices are patched, not just those exposed to the internet.

In addition to the many vulnerabilities analyzed thus far, Server Message Block (SMB) and Remote Desktop Protocol (RDP) have played an incredibly important role in the evolution of ransomware and remain a focal point for attackers today. In this section, we will look at specific vulnerabilities as well as important security best practices for these protocols to reduce the exposure to ransomware.

SMB and the ‘Eternal’ Exploits (MS17-010)In April of 2017, the Shadow Brokers released the now infamous exploit known as EternalBlue, which targeted a vulnerability in SMB. The wormable nature of thisvulnerability allowed an attacker to easily spread from host to host, infect additional devices, and move laterally

within a network. In response, Microsoft issued Security Bulletin MS17-010, which cited several vulnerabilities spanning CVE-2017-0143 through CVE-2017-0148. In May of the same year, the WannaCry ransomware outbreak used the EternalBlue exploit against CVE-2017-0144, to spread from host to host within a network. Hundreds of thousands of devices were impacted globally in the attack. The same vulnerability was once again targeted a month later in the June Petya/NotPetya attacks.

Of note, RiskSense researchers were instrumental in high-lighting how additional ‘Eternal’ exploits could be applied to other operating systems and also published the firstopen source scanner for MS17-010 on May 17th of 2017.

and RDP. As a matter of course, neither SMB nor RDP should be exposed to the internet. However, using Shodan we can see that roughly 1.8 million SMB ports are exposed on the internet, and 7.6 million RDP ports are likewise exposed. This basic exposure has been heavily utilized by a variety of ransomware families. The SamSam family of ransomware in particular is well-known for gaining access to networks by simply brute-forcing exposed RDP ports. This means that ransomware will often gain access not by exploiting a CVE, but by finding lapses in basic network security hygiene.

Enterprises should scan their environments and close any exposed SMB or RDP ports. In cases where the organization requires RDP to be exposed, security teams should take strong measures to securing the service including but not limited to:

• Ensure strong password policies• Prioritized patching for related vulnerabilities• Move the service to a non-standard port• Implement a lockout policy after repeated login failures• Implement multi-factor authentication• Implement strict access control rules

RDP and BlueKeep (CVE-2019-0708)Much like MS17-010, which affects SMB, the recent BlueKeep vulnerability (CVE-2019-0708) represents a wormable vulnerability for RDP. Proof-of-concept code for the vulnerability has been demonstrated, and it is widely anticipated that exploits will eventually be seen in the wild. On 21 May 2019 RiskSense was the first to release an open source scanner for BlueKeep, which quickly found that approximately 1 million devices were exposed and vulnerable.

Additionally, new wormable RDP vulnerabilities were found affecting the Microsoft Remote Desktop service in August of 2019. This includes CVE-2019-1181, CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226.

There are two important take-aways from this information. First, organizations should prioritize patching for CVE-2019-0708. Secondly, organizations should not be exposing RDP and SMB externally in the first place.

Reducing the SMB and RDP Attack SurfaceWhile much of the analysis in this paper is focused on specific CVEs related to ransomware, we would be remiss not to underline general security best practices for SMB


Vulnerability Type Recommendations

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148

CVE-2019-0708

• Scan for and remove internet-facing SMB and RDP wherever possible• Prioritize patching to the MS17-010 vulnerabilities• Apply strong security controls to RDP access


https://github.com/zerosum0x0/CVE-2019-0708

https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html


The Ransomware Top 10

By bringing together the various perspectives used in this report, we can zero in on a list of 10 very high priority vulnerabilities. This should in no way discount the importance of the many other vulnerabilities analyzed in the report, but rather give organizations a very short and manageable starting point for ransomware-based patching efforts.

Note that the table below is listed chronologically based on the CVE and not by importance or priority. The first 3 vulnerabilities all affect multiple vendors, are targeted by multiple families, all affect servers, and all are older CVEs. CVE-2010-0738 is also a particularly low scoring vulnerability. The final 6 vulnerabilities are the MS17-010 vulnerabilities. The wormable nature of these vulnerabilities means that they can have a particularly devastating impact to an enterprise if left unpatched.

Top 10 CVEs Source Affects Servers CVSS v2

CVE-2010-0738

CVE-2012-1723

CVE-2012-0507

CVE-2015-8651

CVE-2017-0143

CVE-2017-0144

CVE-2017-0145

CVE-2017-0146

CVE-2017-0147

CVE-2017-0148


Sun/Oracle JRE

Sun/Oracle JRE

Adobe Flash_Player

SMB

SMB

SMB

SMB

SMB

SMB

Targeted by Multiple Ransomware Families

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Impacts Multiple Vendors

Yes

Yes

Yes

Yes

No

No

No

No

No

No

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

5

10

10

9.3

9.3

9.3

9.3

9.3

4.3

9.3



Summary

We hope that this report provides organizations with prescriptive and usable insights that can help to protect their assets from being exposed to ransomware and drive an efficient approach to vulnerability and patch management. While any threat-based analysis will naturally represent a specific point in time, we hope that the lessons and methodologies contained in the report continue to provide guidance even as ransomware and attack campaigns adapt and evolve.

In particular we have seen how some of the vulnerabilities that ransomware uses the most can fly under the radar due to age or low CVSS score. This should serve as a reminder that CVSS scores should be just one of several contexts we consider when evaluating a vulnerability. Ultimately, insights from threats in the wild provide the most reliable context for driving good security decisions. As a result, organizations should always be aware of which vulnerabilities have actually been weaponized and are actively being used by attackers in the wild.

This real-world context also clearly shows how enterprise ransomware targets higher value assets such as server and application infrastructure where attacks are likely to cause the most damage. The need to

schedule change windows can make these assets the most challenging and time-consuming to patch for enterprise IT teams. However, it is important to remember that the inconvenience of these patching efforts are nominal compared to the disruption and loss due to a successful ransomware attack.

Lastly, teams should be aware of the vulnerabilities where ransomware congregates the most. Multiple families of ransomware can target the same vulnerabilities for a variety of reasons. The vulnerability may be particularly easy to target and used in readily available exploit kits. The vulnerability may be particularly valuable such as wormable exploits that allow attackers to quickly spread through a victim network. In either case, these confluences of ransomware behavior should serve as a vivid indicator of risk for an enterprise, and should be prioritized accordingly.

By analyzing vulnerability metrics and characteristics, real-world threat context, and an understanding of the impact to organization, security leaders can make risk-based decisions based on the content of this report that result in smarter patching decisions. Even with limited resources a more effective approach can be obtained to address the growing enterprise ransomware threat.


© 2019 RiskSense, Inc. All rights reserved. RiskSense and the RiskSense logo are registered trademarks of RiskSense, Inc. Spotlight_Ransomware_20191014

RiskSense – the industry’s most comprehensive risk-based vulnerability management and prioritization platform

Contact us today to learn more about RiskSenseRiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | risksense.com

SCHEDULE A DEMOCONTACT US READ OUR BLOG

RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.

About RiskSense


https://risksense.com/

https://twitter.com/RiskSense

https://risksense.com/company/contact-us/

https://risksense.com/demonow/

https://risksense.com/blog/

https://risksense.com/

Spotlight Report Ransomware.v7 - RiskSense€¦ · ransomware as they emerge. While this report...

Documents

Transcript of Spotlight Report Ransomware.v7 - RiskSense€¦ · ransomware as they emerge. While this report...