Enterprise Ransomware – Through the Lens of Threat

Enterprise Ransomware Through the Lens of Threat and Vulnerability Management

SPOTLIGHT RiskSense Spotlight Report • August 2019

Executive Summary

Ransomware remains one of the most damaging cyber ransomware families and the specific vulnerabilities that threats facing organizations today. Unlike other threats, they target. The goal is to provide actionable insight, ransomware’s main goal is to maximize the business and trends, and analysis into some of the vulnerabilities and operational pain to the victim enterprise – namely by weaknesses most heavily used by ransomware. At a high freezing its data and ability to function. This makes any level, this analysis includes: organization or industry a potential target of ransomware – attackers don’t need data to be valuable for resale on • Key traits of vulnerabilities (CVEs) used by the black market, it only needs to be valuable to the enterprise ransomware, highlighting those that victim. And whether due to lost data or the costs of could easily be overlooked. downtime and cleanup, the actual damage and loss of a ransomware attack are almost always much higher than • How vulnerabilities map to specific ransomware the cost of the ransom itself. The stakes for enterprises families, highlighting those used by multiple have been raised even further as insurance claims related families. to ransomware attacks have recently been denied based on the attribution of an attack. • Which vendors and assets are most targeted by enterprise ransomware for their impact. Defending against such attacks is a top priority for enterprise security teams. This typically includes • Additionally, we highlight the vulnerabilities that addressing weaknesses and vulnerabilities that are being used in active ransomware campaigns or ransomware attacks use, adding detection and response “trending” in the wild based on RiskSense research. tools, and establishing data backup and recovery plans. This focus on trending vulnerabilities allows However, the only way to truly prevent ransomware organizations to focus on the CVEs with the damage is to stop the attack before assets are affected greatest real-world impact. and damage is done. Vulnerability management plays a critical role in this area. For each key finding in the report, we have included a list of relevant vulnerabilities (CVEs) that security and IT Unfortunately, vulnerability management has become one teams can leverage in their patch management practice of the most challenging tasks for security and IT teams, to proactively minimize exposure. Likewise, we provide who typically have far more vulnerabilities than they best practices and guidance that can help to identify and could ever hope to patch. To keep pace, teams need to prioritize vulnerabilities with similar traits used by prioritize vulnerabilities based on real-world context such ransomware as they emerge. While this report focuses as whether vulnerabilities have been weaponized, their heavily on specific CVEs, it is important to note that impact to the enterprise, and whether they have active ransomware often targets weaknesses such as exploits trending in the wild. improperly secured or exposed services such as SMB and RDP. In addition to analyzing the CVEs tied to these This report applies this approach specifically to the protocols, we have included best practices for reducing problem of ransomware by analyzing the top enterprise their exposure to attack.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 1 RiskSense Spotlight Report • August 2019

Key Findings

Enterprise Ransomware Hunts High-Value Assets escalation (PE). These traits continue to be highly 63% (36 out of 57) of the CVEs analyzed were tied to strategic for attackers and likewise can serve as high-value enterprise assets such as servers, application important attributes for security teams when prioritizing servers, and collaboration tools. 31 of these CVEs were their patching efforts. The very strong correlation with trending in the wild in 2018 or 2019. This notably ransomware should further underline the importance of included versions of Windows Server (5), Oracle JRE and tracking these traits as part of a risk-based vulnerability WebLogic Server (5), RedHat’s JBOSS application servers management program. (4), Apache Struts and Tomcat (3), Spring Data (1), Atlassian’s Confluence (1), and Elasticsearch (1). Low CVSS Scores Can Carry High Risk Targeting these and other critical assets allows attackers 52.6% (30 out of 57) of the ransomware vulnerabilities to maximize business disruption to the victim’s had a CVSS v2 score lower than 8. Of those, 24 of the operations and thereby demand higher ransoms. vulnerabilities were trending in the wild, and included Enterprise ransomware is targeted and focused and it is vendors such as RedHat, Microsoft, Apache, and Oracle. not as random or opportunistic as small business or Surprisingly, trending ransomware vulnerabilities had consumer-focused ransomware. scored as low as 2.6. As a result, organizations that use CVSS scores as their exclusive means to prioritize The ‘Eternal’ Exploits Remain Eternal vulnerabilities for patching will very likely miss important The MS17-010 vulnerabilities, first popularized by the vulnerabilities that are used by ransomware. EternalBlue exploit and the WannaCry ransomware, continue to be popular with multiple families of Some Vulnerabilities Are Repeat Offenders ransomware today including Ryuk, SamSam, and Satan Our analysis showed that some vulnerabilities had a ransomware. These wormable vulnerabilities allow broader reach than others. 15 vulnerabilities were found attackers to quickly spread from host to host throughout that were targeted by multiple families of enterprise the network. The fact that these vulnerabilities continue ransomware. Additionally, since technology is often to trend in the wild and are used by even the most recent reused in multiple products, vulnerabilities often impact and costliest families of ransomware are clear signs that more than one vendor. We identified 17 trending many organizations still have not patched these vulnerabilities with active exploits in the wild which important vulnerabilities. affected more than one technology vendor.

Older Vulnerabilities Causing Big Problems in the Wild The Ransomware Top 10 While many organizations often focus on new Bringing together the various perspectives in the report, vulnerabilities, our analysis shows that vulnerabilities we identified a list of 10 vulnerabilities to provide that from as far back as 2010 continue to be trending with organizations with a starting point for can leverage to ransomware in the wild. In total, 31.5% of the analyzed begin their ransomware-focused patching efforts. This vulnerabilities were from 2015 or earlier (18 out of 57), list includes: and 16 of those vulnerabilities continue to be trending in 2018 or 2019. Ransomware targeting these • 4 vulnerabilities that are both targeted by vulnerabilities included Gandcrab, SamSam, and the multiple families of ransomware and also impact recent Sodinokibi families of ransomware. multiple vendors.

100% of the Vulnerabilities Analyzed Enable Remote • 9 of the vulnerabilities affect servers. Code Execution or Privilege Escalation • 4 are from 2015 or earlier and 2 have a CVSS All of the vulnerabilities analyzed in the dataset either score of 5 or less, which could lead to them enabled remote code execution (RCE) or privilege being overlooked.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 2 RiskSense Spotlight Report • August 2019

Report Methodology

The information in this report is based on data gathered vulnerabilities that were “trending” in either 2018 or 2019. from a variety of sources including RiskSense proprietary Trending is defined by RiskSense as vulnerabilities that data, publicly available threat databases, as well as are being actively abused by attackers in the wild. These RiskSense threat researchers and penetration testers. connections are established by internal RiskSense The overarching goal of this report is to provide a research, monitoring of hacker forums, Twitter feeds as manageable list of CVEs and best practices that address well as analysis of 3rd party threat intelligence sources. the top families of enterprise ransomware. We hope this can serve as a starting point for organizations who want Additionally, ransomware can often be a secondary to take a ransomware-based approach to patching within payload following a successful exploit and initial their vulnerability management program to secure their malware infection. For example, the Rig exploit has been enterprise and reduce their attack surface. Put simply, used to deliver a variety of families of ransomware. For most organizations are inundated with more our analysis, we included relevant vulnerabilities for vulnerabilities than they can patch, so we wanted to cases where there is a documented link between a provide a shortlist of vulnerabilities that focuses on the particular exploit kit and a ransomware campaign. most damaging ransomware threats. However, we intentionally focused on the top enterprise We focused on the top ransomware families that are ransomware families and do not claim that this is an known to target enterprises and government exhaustive list of all vulnerabilities related to organizations as opposed to individuals and identified a ransomware. Furthermore, malware campaigns can set of 57 vulnerabilities that are heavily tied to evolve and adopt different exploits or exploit kits over ransomware threats in these organizations. Next, we time. As a result, organizations are encouraged to use identified the most common vectors and vulnerabilities this report as a point in time analysis and then apply an related to ransomware in order to find trends and insights ongoing risk-based approach to ransomware that that can help organizations better protect their networks prioritizes vulnerabilities that have been weaponized and and assets. We also analyzed the dataset to identify are trending in the wild in malware and exploit kits.

$ 57vulnerabilities Identified that are heavily tied to ransomware threats

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 3 RiskSense Spotlight Report • August 2019

Table of Contents

Executive Summary 1 Key Findings 2 Report Methodology 3 The Enterprise Era of Ransomware 5 Key Vulnerability Metrics and Risk Factors 6 A Risk-Based View of Ransomware Vulnerabilities 6 Analysis of CVSS Scores and Severities 7 Older Vulnerabilities Are Still Trending 8 Vulnerabilities by Ransomware Family 10 Malware Families with the Most Vulnerabilities 10 Vulnerabilities Shared Across Malware Families 11 Vulnerabilities by Vendor and Product 12 Vulnerabilities by Vendor and Product 12 Vulnerabilities Affecting Servers and Applications 14 Vulnerabilities Impacting Additional Products 15 Wormable Vulnerabilities in SMB and RDP 17 SMB and the ‘Eternal’ Exploits (MS17-010) 17 RDP and BlueKeep (CVE-2019-0708) 18 Reducing the SMB and RDP Attack Surface 18 The Ransomware Top 10 19 Summary 20

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 4 RiskSense Spotlight Report • August 2019

The Enterprise Era of Ransomware

This section briefly covers the recent evolution of Likewise, between Q4 2018 and Q1 2019, the average ransomware, and specifically how it has evolved to target downtime from a ransomware attack increased from 6.2 to enterprises and the impact of those attacks. 7.5 days as ransomware evolved to target backups and encrypt application configuration files. While ransomware has been around for several years, it shot to the forefront of security concerns in 2017 with the The ability to drive higher ransoms while also causing release of WannaCry, which quickly affected more than greater disruption are direct indicators of the pain these 200,000 victims. WannaCry made use of the EternalBlue attacks can cause organizations due to downtime, lost exploit related to MS17-010 (CVE-2017-0144). As we will employee productivity, lost sales, as well as incident see later in the report, this and the related MS17-010 response and recovery costs. As an example, the City of vulnerabilities continue to play a major role in ransomware Atlanta was hit by SamSam in 2018, and the final costs are attacks today. While WannaCry only netted around estimated to be in the range of $17 million. Likewise, in May $100,000 for the attackers, it was estimated to cause 2019 the City of Baltimore suffered a Robinhood $1 Billion in damages. ransomware attack, which is estimated to cost $13 million. Worse still, in some cases, insurance companies are While the overall volume of attacks began to drop in 2018, refusing to pay claims related to ransomware attacks based the impact on enterprises has continued to rise. Unlike the on attack attribution. opportunistic approach of consumer ransomware, enterprise ransomware has shifted to far more targeted, These factors pose a staggering amount of financial and higher impact malicious attacks that drive higher ransom operational risk for any organization. While individual demands. While ransomware costs in 2017 were estimated attacks vary and malware will continue to evolve, at $5 Billion total, the estimates have risen to $11.5 Billion ransomware attacks are predicated on causing significant in 2019 even as the overall volume of ransomware attacks organizational damage and disruption. Enterprise-focused has declined. In fact, virtually all of the metrics related to ransomware continues to evolve, and this alone ensures ransomware impact appear to be on the rise according to that ransomware will remain a top concern for the recent 2019 data from Coveware. The average ransom foreseeable future. demands nearly doubled with the rise of more targeted ransomware such as Ryuk, SamSam, and Sodinokibi.

Global Ransomware Damage Costs

2017 130% INCREASE 2019 $5 Billion $11.5 Billion

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 5 RiskSense Spotlight Report • August 2019

Key Vulnerability Metrics and Risk Factors

In this section, we analyze 57 vulnerabilities across a • Weaponized Vulnerabilities – Vulnerabilities which have variety of risk metrics in order to highlight areas where associated exploit code capable of taking advantage of important ransomware vulnerabilities could easily fly the vulnerability. under the radar, while also providing a model for prioritizing vulnerabilities going forward. • Strategic Vulnerabilities – Vulnerabilities that allow remote code execution (RCE) or privilege escalation (PE) A Risk-Based View of Ransomware Vulnerabilities are highly valuable to attackers and significantly increase In order to intelligently prioritize vulnerabilities, we need to the risk of damage to a victim organization. know real-world, threat-based information as well as data • Trending Vulnerabilities – These are vulnerabilities that about the vulnerability itself. For example, the vast majority are actively being used in the wild in attacks and malware of vulnerabilities are never weaponized, meaning that there based on RiskSense research and correlation with 3rd are no exploits to take advantage of the vulnerability. Many party sources. In this report, we then further refined the of those that are weaponized are not used in actual list by honing in on the trending vulnerabilities that are attacks or malware campaigns. In practice, three high-level used by enterprise ransomware. metrics are often very powerful for honing in on the most important vulnerabilities. These are: The vulnerabilities analyzed in this report range from 2010 to 2019. If we look at all the CVEs released in this time range, we CVEs From 2010 to 2019 can demonstrate how using the above metrics provides a straightforward, yet powerful model to prioritize vulnerabilities.

Start Here

80,642 Vulnerabilities 9,092 2,175 372 49 Weaponized CVE RCE/PE Trending Trending Enterprise Ransomware

CVEs That Matter

Total CVE Count These metrics prove to be particularly valuable when prioritizing vulnerabilities to minimize ransomware. Of Key Metrics for Ransomware Vulnerabilities course, by definition all vulnerabilities used by ransomware have been weaponized. However, it is worth 57/57 Weaponized noting that all vulnerabilities in the data set either enabled remote code execution or privilege escalation, and 49 of 57/57 RCE/PE the 57 were trending in the wild in 2018 or 2019. This underscores the importance of tracking RCE/PE-capable 49/57 Trending 8 vulnerabilities. Additionally, we will highlight trending CVEs throughout the report to focus on the vulnerabilities that pose the most immediate, real-world danger.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 6 RiskSense Spotlight Report • August 2019

Key Vulnerability Metrics and Risk Factors (Continued)

Analysis of CVSS Scores and Severities Vulnerabilities with a CVSS v3 score fared somewhat Our analysis shows that while CVSS scores can better but remained far from ideal. 37.5% (15/40) of provide a good start, organizations can easily miss vulnerabilities were 8 or below, while 38.2% (13/34) of ransomware-related CVEs by relying solely on these scores. trending vulnerabilities scored below 8. We analyzed the dataset both by CVSS v2 and CVSS v3 scores. Since CVSS v3 wasn’t implemented until late 2015, only 40 of the 57 vulnerabilities have CVSS v3 scores. < 8 < 8 < 8 < 8 52.6% 49% 37.5% 38.2% > 8 > 8 > 8 > 8 First, analyzing by CVSS Severity, we see that not all trending vulnerabilities are in the “High” or “Critical” CVSS v2 CVSS v3 categories. For CVSS v2, there were 8 trending vulnerabilities that had a severity rating lower than High, Non-Trending Trending while for CVSS v3, there were 22 vulnerabilities that were lower than Critical. 20 CVSS v2 Scores

CVSS v2 Categories 15

41 10 High 6 CVE Count

5 7 2 0 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10 10 1 Score Range Non-Trending Non-Trending Trending Low Medium Trending

CVSS v3 Categories 12 CVSS v3 Scores

10 12 3 8

6 20 CVE Count 4 2

2 2 0 1 0-1 1-2 2-3 3-4 4-5 5-6 6-7 7-8 8-9 9-10 10 Score Range Non-Trending Trending Low Medium High Critical

This same issue persists if we break out the data set by This analysis underscores that organizations should specific CVSS scores. The important point is that patching supplement CVSS scores with additional threat-focused only vulnerabilities based on a particular CVSS score can metrics such as RCE/PE capability and trending states. leave an organization needlessly exposed to ransomware. We have included the table below to highlight trending CVEs with CVSS v2 and v3 scores that are below 8, as For CVSS v2, 52.6% (30/57) of the vulnerabilities had a score they could easily be overlooked based on their score. less than 8. This held true for trending vulnerabilities as well Again, we have chosen a score of 8 as an arbitrary cutoff with 49.0% (24/49) of the trending CVEs scoring below 8. for this list, but organizations are encouraged to always This included CVEs used by a variety of ransomware analyze vulnerabilities in a full threat-based context. families including SamSam, Gandcrab, and Ryuk.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 7 RiskSense Spotlight Report • August 2019

Key Vulnerability Metrics and Risk Factors (Continued)

Trending CVEs with Low Scores

CVE Name CVSS v2 CVSS v3 CVE-2010-0738 JBOSS_Application_Server 5 na CVE-2010-1428 JBOSS_Enterprise_Application_Platform 5 na CVE-2012-0874 JBOSS_Enterprise_Web_Platform 6.8 na CVE-2015-1427 Elasticsearch 7.5 na CVE-2015-1701 Microsoft Windows 7.2 na CVE-2016-0189 Microsoft Jscript 7.6 7.5 CVE-2016-3088 Apache ActiveMQ 7.5 9.8 CVE-2016-3298 Microsoft Windows 2.6 5.3 CVE-2016-7200 Microsoft Edge 7.6 7.5 CVE-2016-7201 Microsoft Edge 7.6 7.5 CVE-2017-0147 Microsoft SMB 4.3 5.9 CVE-2017-10271 Oracle WebLogic_Server 5 7.5 CVE-2017-12149 Microsoft SMB 7.5 9.8 CVE-2017-12615 Apache Tomcat 6.8 8.1 CVE-2017-8046 Spring_Data_REST 7.5 9.8 CVE-2018-1273 Spring_Data_Commons 7.5 9.8 CVE-2018-20250 Rarlab WinRAR 6.8 7.8 CVE-2018-2894 Oracle Weblogic_Server 7.5 9.8 CVE-2018-4878 RedHat Enterprise_Linux 7.5 9.8 CVE-2018-8120 Microsoft Windows 7.2 7 CVE-2018-8174 Microsoft Windows 7.6 7.5 CVE-2018-8440 Microsoft Windows 7.2 7.8 CVE-2018-8453 Microsoft Windows 7.2 7.8 CVE-2019-2725 Oracle Weblogic_Server 7.5 9.8

Older Vulnerabilities Are Still Trending Our analysis shows that older vulnerabilities from as far back as 2010 continue to be actively used in ransomware campaigns today. Overall, 18 of the 57 vulnerabilities analyzed were from 2015 or earlier. Of those 18 vulnerabilities, 16 were still trending in 2018 or 2019. While organizations are often in a rush to patch the latest vulnerabilities, this should serve as a reminder that older weaponized and trending vulnerabilities can actually pose the greatest risk.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 8 RiskSense Spotlight Report • August 2019

Key Vulnerability Metrics and Risk Factors (Continued)

Ransomware Vulnerabilities by Year

0 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018 2019

Non-Trending 1 0 0 0 0 1 0 0 0 2 3 0 1 Trending 0 0 0 2 0 3 3 1 7 8 13 10 2

We have included the following list of CVEs to help prioritize older CVEs trending in the wild during 2018 or 2019.

CVE Vendor Product CVE-2010-1428 Red Hat JBOSS_Enterprise_Application_Platform CVE-2012-0507 Oracle Oracle JRE CVE-2012-0874 Red Hat JBOSS_Enterprise_Web_Platform CVE-2012-1723 Oracle Oracle JRE CVE-2013-0074 Microsoft Microsoft Silverlight CVE-2013-2551 Microsoft Microsoft IE CVE-2013-4810 HP HP Procurve_Manager CVE-2014-6332 Microsoft Microsoft Windows CVE-2015-1427 Elastic Elasticsearch CVE-2015-1641 Microsoft Microsoft Office CVE-2015-1701 Microsoft Microsoft Windows CVE-2015-2419 Microsoft Microsoft IE CVE-2015-5122 Adobe Adobe Flash_Player CVE-2015-7645 Adobe Adobe Flash_Player CVE-2015-8651 Adobe Adobe Flash_Player

Summary and Recommendations

Relevant CVEs • List of older vulnerabilities trending in the wild • List of vulnerabilities with lower CVSS scores trending in the wild

Recommendations Apply a risk-based approach to prioritizing vulnerabilities that includes weaponization, RCE/PE capabilities, and trending intelligence.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 9 RiskSense Spotlight Report • August 2019

Vulnerabilities by Ransomware Family

Next, we analyzed the dataset based on the families of number of vulnerabilities. Cerber was found to be the ransomware that target each vulnerability. This gives most flexible, using a total of 17 vulnerabilities, 16 of additional insight into how the respective malware which are trending. Gandcrab was next with 11 families use vulnerabilities throughout the course of a vulnerabilities, 9 trending. Both the SamSam and Satan ransomware attack. For example, even if an attack malware tied with 9 vulnerabilities, all of which were begins via a phishing email, the attacker may use trending. PrincessLocker, which runs as a vulnerabilities to spread laterally within a victim Ransomware-as-a-Service campaign and is tightly organization or to target high-value servers. Next, we associated with the RIG exploit kit had 7 vulnerabilities. were able to identify priority vulnerabilities that were used by multiple families of ransomware. Close behind were two of the newer and more dangerous entrants to the ransomware field – Ryuk and Sodinokibi. Malware Families with the Most Vulnerabilities These two families have been growing in popularity in Some of the most popular and well-established malware 2019 and are notable for targeting enterprises and families also happened to leverage the largest overall demanding unusually high ransoms (Coveware).

BadRabbit 4

Cerber 16 1

GandCrab 9 2

Gimemo 1

JNEC 1

Katyusha 4

Lockergoga 1

Locky 5 2 Vulnerabilities by Malware Family

Megacortex 1

Petya 1

Princess Locker 7

Ryuk 5

SamSam 9

Satan 9

Sodinokibi 4 Non-Trending Troldesh 1 Trending

Xbash 1

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 10 RiskSense Spotlight Report • August 2019

Vulnerabilities by Ransomware Family (Continued)

Vulnerabilities Shared Across Ransomware Families Next, we looked to see which vulnerabilities were used by multiple families. Knowing that a particular vulnerability is not only trending in the wild but is also a common target across multiple ransomware families can further help organizations prioritize their patching efforts. The table below shows the vulnerabilities associated with multiple families along with the vulnerable component and risk score.

Relevant CVEs Families Vulnerable Element CVSS v2

CVE-2010-0738 SamSam, Satan JBOSS_Application_Server 5 CVE-2012-0507 GandCrab, Sodinokibi, Princess Locker, Cerber Sun/Oracle JRE 10 CVE-2012-1723 Cerber, Locky Sun/Oracle JRE 10 CVE-2013-0074 GandCrab, Sodinokibi, Princess Locker, Cerber Microsoft Silverlight 9.3 CVE-2015-8651 Cerber, Princess Locker Adobe Flash_Player 9.3 CVE-2016-0189 Cerber, Princess Locker Microsoft Jscript 7.6 CVE-2016-1019 Locky, Cerber Adobe Flash_Player 10 CVE-2017-0143 BadRabbit, Katyusha, Ryuk, SamSam SMB 9.3 CVE-2017-0144 Satan, Ryuk SMB 9.3 CVE-2017-0145 BadRabbit, Katyusha, Ryuk, SamSam SMB 9.3 CVE-2017-0146 BadRabbit, Katyusha, Ryuk, SamSam SMB 9.3 CVE-2017-0147 BadRabbit, Katyusha, Ryuk, SamSam SMB 4.3 CVE-2017-10271 Satan, Gandcrab Oracle WebLogic_Server 5 CVE-2019-2725 Cerber, Sodinokibi Oracle Fusion_Middleware 7.5 CVE-2019-3396 Gandcrab, Lockergoga, Megacortex Atlassian Confluence 10

This confluence of ransomware families also highlights a be very popular today and are heavily used by multiple series of SMB vulnerabilities ranging from CVE-2017-0143 families including the recent Ryuk malware to move to CVE-2017-0147. These are the MS17-010 laterally and infect additional hosts in the network. vulnerabilities that were originally made infamous by the Additionally, the list includes examples of older WannaCry ransomware. These vulnerabilities continue to vulnerabilities as well as some with low CVSS scores.

Summary and Recommendations

Relevant CVEs List of trending vulnerabilities used by multiple families of ransomware

Recommendations Prioritize patching of vulnerabilities that are used by multiple families of ransomware

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 11 RiskSense Spotlight Report • August 2019

Vulnerabilities by Vendor and Product

Next, we take an asset-centric view of ransomware by looking at the systems, applications, and resources that are being targeted. While Microsoft and Adobe vulnerabilities have long been favorite targets for exploits and malware, our data shows a variety of vendors and products being targeted. Many of the trending vulnerabilities targeted components within high-value systems including critical components within servers.

Vulnerabilities by Vendor and Product The 57 vulnerabilities in the report are spread across 12 vendors, which likewise were tied to 33 different products. Microsoft had by far the most vulnerabilities with 27, followed by RedHat (6), Adobe (5), Oracle (5), and Apache (4).

Microsoft 27

57 Total 57 Vulns RedHat 6

Adobe 5

Oracle 5

Apache 4

Atlassian 2 HP 2 It is important to note that ransomware is targeting the Pivotal Software 2 ConnectWise 1 application layer in addition to traditional infrastructure. This Elastic 1 means that organizations will need to include Application Rarlab 1 Samba 1 Security and Open Source Security as part of their vulnerability management strategy. We have summarized some of the key findings for top vendors as follows: the systems are high-value targets that can warrant steep ransoms, and they are externally facing and exploitable, Microsoft – At the application level, Microsoft making them ideal initial infection vectors that can be vulnerabilities were spread across Windows, Edge and used to spread ransomware more broadly. Explorer, and Microsoft Office. However, the often-overlooked SMB vulnerabilities are also attributed to Adobe – The Adobe vulnerabilities were all tied to the Microsoft and were targeted by a variety of families. Adobe Flash Player. These vulnerabilities were strongly Likewise, Microsoft Silverlight was targeted by several tied to Cerber except for the most recent vulnerability families including GandCrab, Princess Locker, Cerber, and (CVE-2018-15982), which was used by Gandcrab. the recently surging Sodinokibi ransomware. Of the 8 Windows vulnerabilities, 6 were relevant to versions of Oracle – Oracle had 5 vulnerabilities but all were Windows Server. significant. Two were tied to the Oracle JRE, which can affect a wide variety of other products. These were targeted RedHat – The RedHat vulnerabilities were primarily tied by a variety of ransomware including GandCrab, Sodinokibi, to the JBOSS application server and its components. Princess Locker, Cerber, and Locky. Oracle WebLogic Server Particularly targeted by SamSam and Satan ransomware, was another major target with multiple vulnerabilities these vulnerabilities are important for multiple reasons – targeted by Satan, Gandcrab, Cerber, and Sodinokibi.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 12

Apache – Apache vulnerabilities were tied to Apache of the examples above, these vulnerabilities allow an Struts, Tomcat, and Apache Active MQ. Much like the attacker to focus on high-value applications and servers JBOSS vulnerabilities, the Apache vulnerabilities provide within an organization. ideal initial infection vectors and also naturally provide attackers with access to extremely high value servers. Atlassian – While Atlassian only had one trending These assets were targeted by Gandcrab, Cerber, Satan, vulnerability against Confluence, it was targeted by and Xbash ransomware. several families including Gandcrab, Lockergoga, and Megacortex. Also, Confluence deployments typically Pivotal – Pivotal software’s three vulnerabilities were all represent a highly valuable enterprise data store which tied to the Spring Data Framework. These vulnerabilities would be particularly painful to an organization if it were primarily targeted by Satan ransomware. Like many became unavailable. It is important to note that ransomware is targeting the application layer in addition to traditional infrastructure. This means that organizations will need to include Application Security and Open Source Security as part of their vulnerability management strategy. We have summarized some of the key findings for top vendors as follows: the systems are high-value targets that can warrant steep ransoms, and they are externally facing and exploitable, Microsoft – At the application level, Microsoft making them ideal initial infection vectors that can be vulnerabilities were spread across Windows, Edge and used to spread ransomware more broadly. Explorer, and Microsoft Office. However, the often-overlooked SMB vulnerabilities are also attributed to Adobe – The Adobe vulnerabilities were all tied to the Microsoft and were targeted by a variety of families. Adobe Flash Player. These vulnerabilities were strongly Likewise, Microsoft Silverlight was targeted by several tied to Cerber except for the most recent vulnerability families including GandCrab, Princess Locker, Cerber, and (CVE-2018-15982), which was used by Gandcrab. the recently surging Sodinokibi ransomware. Of the 8 Windows vulnerabilities, 6 were relevant to versions of Oracle – Oracle had 5 vulnerabilities but all were Windows Server. significant. Two were tied to the Oracle JRE, which can affect a wide variety of other products. These were targeted RedHat – The RedHat vulnerabilities were primarily tied by a variety of ransomware including GandCrab, Sodinokibi, to the JBOSS application server and its components. Princess Locker, Cerber, and Locky. Oracle WebLogic Server Particularly targeted by SamSam and Satan ransomware, was another major target with multiple vulnerabilities these vulnerabilities are important for multiple reasons – targeted by Satan, Gandcrab, Cerber, and Sodinokibi.

RiskSense Spotlight Report • August 2019

Vulnerabilities by Vendor and Product (Continued)

8 Microsoft Windows

6 Adobe Flash_Player Microsoft 27

6 SMB

3 JBOSS_Application_Server

3 Microsoft Edge 57 Total 57 Vulns 3 Microsoft Explorer

RedHat 9 3 Microsoft Office

2 Apache Struts

2 Atlassian Confluence Adobe 6 2 JBOSS_Enterprise_Application_Platform

2 Microsoft Silverlight

Oracle 5 2 Oracle WebLogic_Server 2 Sun/Oracle JRE 1 Apache ActiveMQ Apache 4 1 Apache Tomcat 1 Connectwise ManagedITSync 1 Elasticsearch HP 4 1 HP Application_Lifecycle_Management 1 HP Identity_Driven_Manager 1 HP integrated_lights-out_firmware Pivotal Software 3 1 HP Procurve_Manager 1 JBOSS_brms_platform Atlassian 2 1 JBOSS_Enterprise_Web_Platform ConnectWise 1 1 JBOSS_SOA_Platform Elastic 1 1 Microsoft Jscript Rarlab 1 1 Microsoft Office Samba 1 1 Oracle Fusion_Middleware 1 Rarlab WinRAR 1 RedHat Enterprise_Linux 1 Samba_ 1 Spring_Boot 1 Spring_Data_Commons 1 Spring_Data_REST

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 13 RiskSense Spotlight Report • August 2019

Vulnerabilities by Vendor and Product (Continued)

Vulnerabilities Affecting Servers and Applications Vulnerability ID Source Product In total, 36 of the 57 vulnerabilities (63%) used by CVE-2010-0738 JBOSS_Application_Server ransomware directly target servers or other critical CVE-2010-1428 JBOSS_Enterprise_Application_Platform enterprise assets. 31 of these vulnerabilities were CVE-2012-0507 Sun/Oracle JRE trending in 2018 or 2019. This focus on high-value assets CVE-2012-0874 JBOSS_Enterprise_Web_Platform makes sense as attackers who intend to charge high CVE-2012-0874 JBOSS_Enterprise_Application_Platform ransoms will want to target high-value assets. CVE-2012-0874 JBOSS_brms_platform CVE-2012-0874 JBOSS_SOA_Platform However, this should serve as a particularly stark CVE-2012-1723 Sun/Oracle JRE reminder for security teams and patch management. CVE-2013-4810 HP Procurve_Manager These high-value assets may be some of the more CVE-2013-4810 HP Identity_Driven_Manager challenging to patch due to managing change windows CVE-2013-4810 HP Application_Lifecycle_Management and are often not supported by automatic updates. CVE-2014-6332 Windows Server However, these are the same assets that if compromised CVE-2015-1427 Elasticsearch can cause the most disruption to the enterprise, and as a CVE-2015-1701 Windows Server result are being actively targeted by ransomware. The CVE-2016-0189 Microsoft Jscript table below consolidates the list of vulnerabilities that CVE-2016-3088 Apache ActiveMQ would most commonly affect servers and applications. CVE-2017-0143 Microsoft SMB CVE-2017-0144 Microsoft SMB CVE-2017-0145 Microsoft SMB Note that we only included vulnerabilities that were CVE-2017-0146 Microsoft SMB directly tied to servers and applications, and where the CVE-2017-0147 Microsoft SMB attacking behavior applied to typical server use cases. CVE-2017-0148 Microsoft SMB For example, we did not include Flash vulnerabilities or CVE-2017-10271 Oracle WebLogic_Server other vulnerabilities that require the victim to visit or CVE-2017-12149 JBOSS_Application_Server interact with a malicious page through a browser. While a CVE-2017-12615 Apache Tomcat server could contain this vulnerability, it does not apply to CVE-2017-5638 Apache Struts a common server use case. CVE-2017-8046 Spring_Data_REST CVE-2017-8046 Spring_Boot CVE-2018-11776 Apache Struts CVE-2018-1273 Spring_Data_Commons CVE-2018-2894 Oracle Weblogic_Server CVE-2018-4878 RedHat Enterprise_Linux CVE-2018-8120 Windows Server CVE-2018-8440 Windows Server CVE-2018-8453 Windows Server CVE-2019-2725 Oracle Fusion_Middleware CVE-2019-3396 Atlassian Confluence

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 14 RiskSense Spotlight Report • August 2019

Vulnerabilities by Vendor and Product (Continued)

Vulnerabilities Impacting Additional Products vulnerabilities that affect additional vendors. A Our analysis found 19 CVEs overall and 17 trending CVEs vulnerability in Samba affected the most vendors, that had a downstream impact on other technology however it should be noted that the particular CVE is not vendors. It is important to remember that vulnerabilities currently trending in the wild. However, the Oracle JRE can impact other vendors and products that reuse or vulnerabilities impacted 12 additional vendors and a wide include the vulnerable component. For example, the variety of individual products. Likewise, Apache Tomcat Oracle JRE is used in a variety of other products, which and the various RedHat vulnerabilities had a notably large would likewise need to be patched. This can give certain reach. The remote exploitability of these vulnerabilities vulnerabilities an unexpected breadth within an and their ability to directly target servers and applications organization that can be easy to miss. should make them priorities for patching. The table below summarizes the CVEs that had a downstream To get a better view of this issue, we further analyzed impact on other vendors. Common Platform Enumeration (CPE) data to identify

2 products impacted by CVE-2018-11776 2 products impacted by CVE-2017-5638 15 products impacted by CVE-2016-2118 Apache Apache Amazon Fedoraproject Novell 9 products impacted by Cisco Oracle Canonical Fermilab Oracle CVE-2017-12615 uts e Str Centos Freebsd RedHat ach Apache Huawei Ap Sa Debian Gentoo Samba t • m Centos Oracle ca E S ba F5 Huawei Slackware Fedoraproject Redhat om H AM e T AC B Fermilab Virtuozzo ch P 8 A A 1 a . Freebsd) p 2 A ( & 1 12 products impacted by & ( ) * ( 2 * < 2 " & 9 : , ( 1 " ' & # . " CVE-2012-0507 4 1 9 . > " 8 9 **9&, 7 ( ( " 2 ( * ( 6 ( 9 * " 9 & 1 , 2 - ) " ) ' 1 # 7 ) ,-$ ( & " 1 & " * . ' " ( 9)& * ) & & ) , . 9 ,-. 1 5 , " 2 * 2 * 1 ( ,, " 5 & - 5 7 77) 2 , 9&, , " Sun Novell . 0 ' - . ((' ( ""= ' & 9 > & & & ( 9 " 7 0, . ( )&* ; ( ( . " 3 * & & & & & 1 1 1 1 - ( : : : : = = 8 80& < < 5 5 , " Apple Oracle * CVE-2016-2118 Canonical RedHat 2 products impacted by Centos Suse CVE-2015-1427 CVE-2017-5638 Debian Ubuntu h CVE-2012-0507 S Elasticsearch c u Gentoo Vmware r n a C O / Freebsd I O e 2 R s r c T CVE-2018-11776 a i 15 A t S c l 13 products impacted by s C e a A l J CVE-2012-1723 12 L E L 2 R E E E Sun Gentoo CVE-2017-12615 Amazon Mandriva 2 products impacted by CVE-2015-1427 Apple Novell CVE-2010-1428 CVE-2012-1723 CVE-2015-7645 Canonical Oracle Juniper 2 Centos RedHat RedHat 9 6 Debian Vmware 13 Fermilab CVE-2013-0874 CVE-2015-8651

J CVE-2007-1036 J 5 products impacted by B 4 products impacted by B O O R 4 CVE-2015-5122 CVE-2013-0874 S S e S S CVE-2018-15982 d J _ _ 6 Adobe H 5 Hp A CVE-2010-1428 B E CVE-2016-1019 n p a O R Gentoo Jboss t p t S e CVE-2018-4878 E l E Google S r i Redhat p c n 3 _ D a t CVE-2010-0738 r e 2 Novell E i t Symantec s n H i r e o p 6 CVE-2016-4117 RedHat t n e _ r A A _ i r s 5 p p S e T e r p _ 3 i r L s li v i e c e n 5 products impacted by a r u 6 products impacted by _ x CVE-2012-4810 6 W t io CVE-2015-5122 CVE-2016-7645 CVE-2007-1036 e n b _ r _ P e CVE-2016-8651 Cisco P l y l a E a a tf 4 l CVE-2016-1019 t P Hp f o B _ o rm 5 h CVE-2016-4117 Jboss rm O s D la Redhat F Adobe A e Symantec b Freebsd do A Gentoo Google HP 5 products impacted by P H Novell roc P urv RedHat CVE-2018-4878 3 products impacted by e_M ana 3 products impacted by Adobe CVE-2010-0738 ger Freebsd CVE-2018-15982 Gentoo HP Adobe 4 products impacted by CVE-2012-0874 Google Juniper Freebsd RedHat RedHat Hp RedHat Jboss Redhat Symantec Non-Trending Trending

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 15 RiskSense Spotlight Report • August 2019

Vulnerabilities by Vendor and Product (Continued)

Vulnerability ID Vendor Product Sun Adobe amazon apache apple canonical centos cisco debian elasticsearch f5 fedoraproject fermilab freebsd gentoo google hp huawei jboss juniper mandriva novell oracle redhat Samba slackware suse symantec ubuntu virtuozzo vmware Grand Total Grand Trending

CVE-2016-2118 Samba Samba No x x x x x x x x x x x x x x x 15

CVE-2012-1723 Oracle Sun/Oracle JRE Yes x x x x x x x x x x x x x 13

CVE-2012-0507 Oracle Sun/Oracle JRE Yes x x x x x x xxx xxx 12

CVE-2017-12615 Apache Apache Tomcat Yes x x x x x x x x x 9

CVE-2015-7645 Adobe Adobe Flash_Player Yes x x x x x x 6

CVE-2015-8651 Adobe Adobe Flash_Player Yes x x x x x x 6

CVE-2016-1019 Adobe Adobe Flash_Player Yes x x x x x x 6

CVE-2016-4117 Adobe Adobe Flash_Player Yes x x x x x x x 6

CVE-2007-1036 RedHat JBOSS_Application_Server No x x x x x 5

CVE-2015-5122 Adobe Adobe Flash_Player Yes x x x x x 5

CVE-2018-4878 RedHat RedHat Enterprise_Linux Yes x xx x x 5

CVE-2012-0874 RedHat JBOSS_Enterprise_Web_Platform Yes x x x x 4

CVE-2013-4810 HP HP Procurve_Manager Yes x x x x 4

CVE-2010-0738 RedHat JBOSS_Application_Server Yes x x x 3

CVE-2018-15982 Adobe Adobe Flash_Player Yes x x x 3

CVE-2010-1428 RedHat JBOSS_Enterprise_Application_Platform Yes x x 2

CVE-2015-1427 Elastic Elasticsearch Yes x x 2

CVE-2017-5638 Apache Apache Struts Yes x x 2

CVE-2018-11776 Apache Apache Struts Yes x x 2

Summary and Recommendations

Relevant CVEs • List of trending vulnerabilities targeting servers and applications • Vulnerabilities affecting additional vendors

Recommendations • Prioritize vulnerabilities that can target servers and applications • Be aware of vulnerabilities that can impact additional vendors and products

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 16 RiskSense Spotlight Report • August 2019

Wormable Vulnerabilities in SMB and RDP

In addition to the many vulnerabilities analyzed thus far, within a network. In response, Microsoft issued Security Server Message Block (SMB) and Remote Desktop Bulletin MS17-010, which cited several vulnerabilities Protocol (RDP) have played an incredibly important role in spanning CVE-2017-0143 through CVE-2017-0148. In May the evolution of ransomware and remain a focal point for of the same year, the WannaCry ransomware outbreak attackers today. In this section, we will look at specific used the EternalBlue exploit against CVE-2017-0144, to vulnerabilities as well as important security best practices spread from host to host within a network. Hundreds of for these protocols to reduce the exposure to ransomware. thousands of devices were impacted globally in the attack. The same vulnerability was once again targeted a SMB and the ‘Eternal’ Exploits (MS17-010) month later in the June Petya/NotPetya attacks. In April of 2017, the Shadow Brokers released the now infamous exploit known as EternalBlue, which targeted a Of note, RiskSense researchers were instrumental in high- vulnerability in SMB. The wormable nature of this lighting how additional ‘Eternal’ exploits could be applied vulnerability allowed an attacker to easily spread from to other operating systems and also published the first host to host, infect additional devices, and move laterally open source scanner for MS17-010 on May 17th of 2017.

30 days 27 days WannaCry Massive Attack 3.14.2017 4.14.2017

11 12 1 2 3 4 5 6 7 8 5.12.2017

April 21, 2017 RiskSense Analysis Warns of CVE & Patch Released Exploit Released a Massive Cyber Attack Petya Massive Attack

11 12 1 2 3 4 5 6 7 8 3.14.2017 4.14.2017 6.27.2017 45 days

However, in spite of their highly publicized nature and these vulnerabilities are used by ransomware to move availability of patches, the MS17-010 vulnerabilities laterally and spread within a network, it is important that persist within enterprise networks and continue to be used all vulnerable devices are patched, not just those exposed by multiple families of ransomware today including Ryuk, to the internet. SamSam, Satan, BadRabbit, and Katyusha. Ryuk, which is one of the more recent families of ransomware, is notable CVE Relevant Ransomware Families for demanding very high ransoms of $100,000 or more. CVE-2017-0143 BadRabbit, Katyusha, Ryuk, SamSam CVE-2017-0144 Ryuk, Satan Given the wormable nature of these vulnerabilities and CVE-2017-0145 BadRabbit, Katyusha, Ryuk, SamSam that they remain targets for some of the most recent and CVE-2017-0146 BadRabbit, Katyusha, Ryuk, SamSam damaging malware, organizations should heavily prioritize CVE-2017-0147 BadRabbit, Katyusha, Ryuk, SamSam patching efforts for the following CVEs. Additionally, since CVE-2017-0148 Petya

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 17

RDP and BlueKeep (CVE-2019-0708) and RDP. As a matter of course, neither SMB nor RDP Much like MS17-010, which affects SMB, the recent should be exposed to the internet. However, using Shodan BlueKeep vulnerability (CVE-2019-0708) represents a we can see that roughly 1.8 million SMB ports are wormable vulnerability for RDP. Proof-of-concept code for exposed on the internet, and 7.6 million RDP ports are the vulnerability has been demonstrated, and it is widely likewise exposed. This basic exposure has been heavily anticipated that exploits will eventually be seen in the utilized by a variety of ransomware families. The SamSam wild. On 21 May 2019 RiskSense was the first to release family of ransomware in particular is well-known for an open source scanner for BlueKeep, which quickly gaining access to networks by simply brute-forcing found that approximately 1 million devices were exposed exposed RDP ports. This means that ransomware will and vulnerable. often gain access not by exploiting a CVE, but by finding lapses in basic network security hygiene. Additionally, moew wormable RDP vulnerabilities were found affecting the Microsoft Remote Desktop service in Enterprises should scan their environments and close any August of 2019. This includes CVE-2019-1181, exposed SMB or RDP ports. In cases where the CVE-2019-1182, CVE-2019-1222, and CVE-2019-1226. organization requires RDP to be exposed, security teams should take strong measures to securing the service There are two important take-aways from this including but not limited to: information. First, organizations should prioritize patching for CVE-2019-0708. Secondly, organizations should not be • Ensure strong password policies exposing RDP and SMB externally in the first place. • Prioritized patching for related vulnerabilities • Move the service to a non-standard port Reducing the SMB and RDP Attack Surface • Implement a lockout policy after repeated login failures While much of the analysis in this paper is focused on • Implement multi-factor authentication specific CVEs related to ransomware, we would be remiss • Implement strict access control rules not to underline general security best practices for SMB In addition to the many vulnerabilities analyzed thus far, within a network. In response, Microsoft issued Security Server Message Block (SMB) and Remote Desktop Bulletin MS17-010, which cited several vulnerabilities Protocol (RDP) have played an incredibly important role in spanning CVE-2017-0143 through CVE-2017-0148. In May the evolution of ransomware and remain a focal point for of the same year, the WannaCry ransomware outbreak attackers today. In this section, we will look at specific used the EternalBlue exploit against CVE-2017-0144, to vulnerabilities as well as important security best practices spread from host to host within a network. Hundreds of for these protocols to reduce the exposure to ransomware. thousands of devices were impacted globally in the attack. The same vulnerability was once again targeted a SMB and the ‘Eternal’ Exploits (MS17-010) month later in the June Petya/NotPetya attacks. In April of 2017, the Shadow Brokers released the now infamous exploit known as EternalBlue, which targeted a Of note, RiskSense researchers were instrumental in high- vulnerability in SMB. The wormable nature of this lighting how additional ‘Eternal’ exploits could be applied vulnerability allowed an attacker to easily spread from to other operating systems and also published the first host to host, infect additional devices, and move laterally open source scanner for MS17-010 on May 17th of 2017.

Given the wormable nature of these vulnerabilities and that they remain targets for some of the most recent and damaging malware, organizations should heavily prioritize patching efforts for the following CVEs. Additionally, since

RiskSense Spotlight Report • August 2019

Wormable Vulnerabilities in SMB and RDP (Continued)

Summary and Recommendations

Vulnerability Type Recommendations

CVE-2017-0143 CVE-2017-0144 • Scan for and remove internet-facing SMB and RDP wherever possible CVE-2017-0145 CVE-2017-0146 • Prioritize patching to the MS17-010 vulnerabilities CVE-2017-0147 • Apply strong security controls to RDP access CVE-2017-0148 CVE-2019-0708

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 18 RiskSense Spotlight Report • August 2019

The Ransomware Top 10

By bringing together the various perspectives used in this Note that the table below is listed chronologically based report, we can zero in on a list of 10 very high priority on the CVE and not by importance or priority. The first 3 vulnerabilities. This should in no way discount the vulnerabilities all affect multiple vendors, are targeted by importance of the many other vulnerabilities analyzed in multiple families, all affect servers, and all are older the report, but rather give organizations a very short and CVEs. CVE-2010-0738 is also a particularly low scoring manageable starting point for ransomware-based vulnerability. The final 6 vulnerabilities are the MS17-010 patching efforts. vulnerabilities. The wormable nature of these vulnerabilities means that they can have a particularly devastating impact to an enterprise if left unpatched.

Targeted by Multiple Impacts Top 10 CVEs Source Ransomware Families Multiple Vendors Affects Servers CVSS v2

CVE-2010-0738 JBOSS_Application_Server Yes Yes Yes 5 CVE-2012-1723 Sun/Oracle JRE Yes Yes Yes 10 CVE-2012-0507 Sun/Oracle JRE Yes Yes Yes 10 CVE-2015-8651 Adobe Flash_Player Yes Yes No 9.3 CVE-2017-0143 SMB Yes No Yes 9.3 CVE-2017-0144 SMB Yes No Yes 9.3 CVE-2017-0145 SMB Yes No Yes 9.3 CVE-2017-0146 SMB Yes No Yes 9.3 CVE-2017-0147 SMB Yes No Yes 4.3 CVE-2017-0148 SMB Yes No Yes 9.3

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 19 RiskSense Spotlight Report • August 2019

Summary

We hope that this report provides organizations with schedule change windows can make these assets the prescriptive and usable insights that can help to protect most challenging and time-consuming to patch for their assets from being exposed to ransomware and enterprise IT teams. However, it is important to drive an efficient approach to vulnerability and patch remember that the inconvenience of these patching management. While any threat-based analysis will efforts are nominal compared to the disruption and loss naturally represent a specific point in time, we hope that due to a successful ransomware attack. the lessons and methodologies contained in the report continue to provide guidance even as ransomware and Lastly, teams should be aware of the vulnerabilities where attack campaigns adapt and evolve. ransomware congregates the most. Multiple families of ransomware can target the same vulnerabilities for a In particular we have seen how some of the variety of reasons. The vulnerability may be particularly vulnerabilities that ransomware uses the most can fly easy to target and used in readily available exploit kits. under the radar due to age or low CVSS score. This The vulnerability may be particularly valuable such as should serve as a reminder that CVSS scores should be wormable exploits that allow attackers to quickly spread just one of several contexts we consider when through a victim network. In either case, these evaluating a vulnerability. Ultimately, insights from confluences of ransomware behavior should serve as a threats in the wild provide the most reliable context for vivid indicator of risk for an enterprise, and should be driving good security decisions. As a result, prioritized accordingly. organizations should always be aware of which vulnerabilities have actually been weaponized and are By analyzing vulnerability metrics and characteristics, actively being used by attackers in the wild. real-world threat context, and an understanding of the impact to organization, security leaders can make This real-world context also clearly shows how risk-based decisions based on the content of this report enterprise ransomware targets higher value assets such that result in smarter patching decisions. Even with limited as server and application infrastructure where attacks resources a more effective approach can be obtained to are likely to cause the most damage. The need to address the growing enterprise ransomware threat.

Spotlight • Enterprise Ransomware – Through the Lens of Vulnerability and Threat Management Page 20 RiskSense Spotlight Report • August 2019

About RiskSense

RiskSense®, Inc. provides vulnerability management and prioritization to measure and control cybersecurity risk. The cloud-based RiskSense platform uses a foundation of risk-based scoring, analytics, and technology-accelerated pen testing to identify critical security weaknesses with corresponding remediation action plans, dramatically improving security and IT team efficiency and effectiveness. For more information, visit www.risksense.com or follow us on Twitter at @RiskSense.

RiskSense – the industry’s most comprehensive risk-based vulnerability management and prioritization platform

Contact us today to learn more about RiskSense CONTACT US SCHEDULE A DEMO READ OUR BLOG RiskSense, Inc. | +1 844.234.RISK | +1 505.217.9422 | risksense.com