Ransomware attacks are burgeoning again—in terms of overall economic impact, according to the Enterprise Ransomware report published by vulnerability management firm RiskSense on Tuesday. The volume of ransomware attacks has declined, though the amount that cybercriminals are able to extract from victims has increased from $5 billion in 2017 to an estimated $11.5 billion in 2019.
Cybercriminals are increasingly targeting local municipalities as a quick cash-grab, with 23 municipal governments in Texas targeted in a coordinated campaign using the Sodinokibi ransomware package in August, while Lake City, Florida paid nearly $500,000 in June following a ransomware attack just a week after Riviera Beach, Florida paid more than $600,000. In some circumstances, insurance companies are fighting claims related to ransomware attacks, based on attack attribution.
SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)
While prompt patching of vulnerabilities is naturally the best first step in reducing the risk of falling victim to a ransomware attack, significant benefits can be gained by removing legacy software from an organization. The 57 vulnerabilities investigated in the RiskSense report were associated with 33 different products. Microsoft products represented 27 vulnerabilities, with Red Hat in second place with six vulnerabilities, followed by Adobe and Oracle with five vulnerabilities each.
What vulnerabilities are targeted by ransomware campaigns?
Microsoft’s status of being the origin of 27 of 57 vulnerabilities is not necessarily an indicator of code quality. As Windows remains entrenched in the enterprise, the ubiquity of it makes it attract greater scrutiny from cybercriminals. Windows represented eight of the vulnerabilities, while the SMB protocol was six. (If you are not blocking SMBv1 in your network, drop everything and do so now.) Microsoft Edge, Internet Explorer, and Microsoft Office had three vulnerabilities targeted by ransomware each.
Substantial benefits can be found by simply removing legacy software from your system. Six of the vulnerabilities analyzed were associated with Adobe Flash Player, which will reach end-of-life status at the end of 2020. Two were tied to the Microsoft Silverlight plugin, which will reach end-of-life in October 2021 (though is already not widely used), likewise, two were tied to the Java Runtime Engine (JRE). The GandCrab, Sodinokibi, Princess Locker, Cerber, and Locky ransomware families are known to exploit vulnerabilities in these plugins.
Desktop security is not the only consideration, however. Thirty-six of the 57 analyzed vulnerabilities (63%) used by ransomware target servers or “other critical enterprise assets,” the report notes.
The EternalBlue exploit remains a pain point for the enterprise
Of the 10 most exploited vulnerabilities, six are in SMB, two are in JRE, and Adobe Flash Player and JBOSS Application Server represent one each. The SMB-related vulnerabilities are derived from EternalBlue—which were released by an organization called The Shadow Brokers in 2017. EternalBlue was originally developed by the NSA Office of Tailored Access Operations and CIA Information Operations Center. The weaponization—rather than responsible disclosure—of those underlying exploits created an opportunity for the WannaCry ransomware family to be waged.
In the wake of the WannaCry attack, Microsoft president and chief legal officer Brad Smith condemned the “stockpiling of vulnerabilities by governments.”
For more on security, check out “Businesses need to patch for BlueKeep to avoid another WannaCry” and “Russian phishing campaign using AWS to host landing pages designed to avoid detection” on TechRepublic.