Unpatched Vulnerabilities: Ransomware’s Favorite Entry Point

A recent report by Sophos, based on a comprehensive survey conducted by Vanson Bourne, sheds light on the stark realities and heightened risks associated with unpatched vulnerabilities in the context of ransomware attacks. The findings from 2,974 IT and cybersecurity professionals across small and mid-sized organizations reveal a grim picture: attacks exploiting unpatched vulnerabilities result in significantly more severe outcomes than those leveraging compromised credentials.

The Sophos report underscores the brutal efficiency of ransomware attacks initiated through unpatched vulnerabilities. Key statistics include a 75% success rate in compromising backups, a 67% data encryption rate, and a 71% likelihood of paying the ransom among victims of such attacks. In stark contrast, attacks based on compromised credentials show markedly lower rates of success in these areas.

The financial repercussions are equally alarming. Organizations affected by vulnerability-exploited attacks face recovery costs four times higher than those targeted via compromised credentials, averaging $3 million compared to $750,000. Additionally, the recovery period for the former is notably longer, with 45% of organizations taking more than a month to recuperate.

The report also highlights the variability of ransomware attacks across different sectors. Industries such as energy, oil/gas, and utilities face the highest incidence of attacks starting with exploited vulnerabilities, likely due to their reliance on older, more vulnerable technologies. Conversely, the construction and property sectors report the lowest rates of such attacks.

Sophos’ findings reveal a troubling trend: more than half of the vulnerability-exploited attacks investigated by Sophos incident responders in 2022 were due to ProxyShell and Log4Shell, vulnerabilities for which patches were available at the time of compromise. This suggests a critical gap in patch management and application within affected organizations, underscoring the importance of timely updates and maintenance.

The report further examines the correlation between organizational size and the likelihood of experiencing an exploit-led ransomware attack. Larger organizations, with their complex IT infrastructures and broader attack surfaces, are inherently more susceptible to such attacks, highlighting the need for comprehensive security measures that scale with organizational growth.

To combat the threat of ransomware, particularly attacks exploiting unpatched vulnerabilities, Sophos recommends a multifaceted approach. This includes maintaining full visibility of external-facing assets, prioritizing high-risk exposure patching, regular updates, deploying anti-exploit protections, and ensuring 24/7 detection and response capabilities.