Despite comprehensive security practices aimed at mitigating vulnerabilities, ransomware attackers continue to achieve significant breaches by targeting a small fraction of critical CVEs. This blog explores the focus on these high-risk vulnerabilities, the mechanisms of ransomware attacks, and the primary weaknesses that facilitate these threats. By understanding these factors, organizations can better prioritize their defenses and reduce the risk of devastating ransomware incidents.



Here is the verbatim discussion:

And you know very interesting thing is this that uh although you know we have security practices to find all possible bugs and vulnerabilities such as business logic vulnerabilities in web apps and mitigating all the info level vulnerabilities medium vulnerabilities interestingly ransomwares Target 1% of nvd I and critical CV is so just 1% of them are being targeted by attackers to achieve this Mega Fe Mega you know result uh now I'll just give you some numbers that uh the number of critical High cves currently as of today are around 50,000 so I'm just talking about CVS greater than uh probably six or seven CV score right in order to consider as high and seven probably seven and above and and then this I'm also referring to the cisa prioritize cves cesa maintains a list of you know cves which are being targeted by ransomwares and they make a news and they get an alert from various teral feeds and they have around um around 500 critical cve is in their list so the figure comes out to be 1% which means 1% of those n high and critical CVS which are there in your nvd database are currently being targeted by ransomwares now I'm sure everyone knows how ransomware works that ransomwares most of the time start externally so there are no way closer physically to your organization they are somewhere sitting in different countries uh it can be any other country any country you know uh and uh one of their primary way to attack an organization is to get a initial foothold right when they will get some access to your servers using um either exploitation or you know various other techniques and once this initial foothold is done then the snowball gets start rolling right and it's very difficult to you know stop this snowball once the ransomwares are in your network uh and they and it starts spreading you know then it it becomes a different game Al together uh so let's you know see what are the weaknesses top three weaknesses that leads to leads you know that helps run someware to get you initial get the initial foothold and uh the the good Insight come from IBM you know and both Verizon reports uh as per IBM xforce report uh you know 80% of three weaknesses leads to 80% of ransomwares and these three weaknesses are exploiting external cves and this leads to 26% of attacks it it basically contribut 26% of uh cases where romare gets initial foothold into organization U then then you know of course the most prominent one is the fishing where uh you know attackers usually send a fishing email on a mass scale or a you know spear fishing and with malicious attachment link and allow users and various other you know techniques which including even social media uh wishing uh which allow user to ultimately give access to this uh to to the malwares and ransomwares on their uh on their systems and from there you know the attack starts right uh apart from that uh 60% of the cases are because of Shadow it which means the assets which are not probably are there are not there in the asset inventory but are left open for the attackers on the on the public internet uh so just give you a number in terms of cves uh we have seen 49 cves being added to the cisa you know uh database from the last few months which have been targeted by ransomwares in just 2023 and 366 CVS were added in 2022 which were you know Target.



Targeting High-Risk CVEs:

  • Ransomware attacks primarily focus on a small subset of critical vulnerabilities. Only about 1% of high and critical CVEs from the National Vulnerability Database (NVD) are actively targeted by attackers.
  • As of now, there are approximately 50,000 high and critical CVEs (CVSS score ≥ 7). The Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of around 500 critical CVEs known to be exploited by ransomware, highlighting the targeted nature of these attacks.

Exploitation of External CVEs:

  • External CVEs provide a critical entry point for ransomware. Attackers exploit these vulnerabilities to gain an initial foothold in the organization’s network.
  • According to reports, exploiting external CVEs accounts for 26% of ransomware initial access points.

Phishing Attacks:

  • Phishing remains the most prominent method for ransomware distribution. Attackers use mass phishing campaigns and spear-phishing tactics to trick users into downloading malicious attachments or clicking on harmful links.
  • Social engineering techniques, including vishing (voice phishing), are also used to deceive individuals into granting access to malicious software.

Impact of Shadow IT:

  • Shadow IT, or the use of unauthorized IT systems and solutions, significantly contributes to security risks. Assets not included in official asset inventories are often left exposed to the internet, providing easy targets for attackers.
  • Shadow IT is responsible for 60% of the initial access points in ransomware cases.

Recent Trends and Statistics:

  • In 2023 alone, 49 new CVEs were added to CISA’s list of vulnerabilities exploited by ransomware. In 2022, this number was 366, underscoring the increasing focus on exploiting high-risk CVEs.
  • Ransomware attacks frequently start from external locations, making it crucial to secure perimeter defenses and regularly update and patch vulnerable systems.


Ransomware attacks continue to be a significant threat, leveraging a small fraction of high-risk CVEs to achieve considerable damage. Organizations must prioritize the remediation of these critical vulnerabilities to prevent initial access by attackers. By focusing on the most exploited CVEs, implementing robust phishing defenses, and addressing Shadow IT risks, businesses can significantly reduce their exposure to ransomware. Proactive vulnerability management and continuous monitoring are essential strategies in safeguarding against these persistent threats.



Jitendra Chauhan has over 16+ years of experience in the Information Security Industry in key areas such as Building and Managing Highly Scalable Platforms, Red Teaming, Penetration Testing, and SIEM. He holds multiple patents in Information Security. He loves to visualize problems, solutions and ideas. He is very strong with modelling and inductive learning (he can mentally make math models based on a few examples). He is very passionate about machine learning and its applications, Cyber Security and Micro Services.

E-mail me when people leave their comments –

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)



CISO Breakfast at BlackHat Las Vegas 2024!

  • Description:

    We are thrilled to invite you to the CISO Breakfast at BlackHat 2024. 

    CISOPlatform is a community partner for the event which is co-hosted by Silicon Valley Bank, Stage One, First Rays Venture Partners, Latham & Watkins.


    Event Details: 

    • Date: Thursday, August 8th,…
  • Created by: pritha
  • Tags: blackhat usa, las vegas, ciso breakfast, usa