6 TOP EXPLOITED VULNERABILITIES While examining hundreds of different ransomware incidents since the beginning of 2020, we found that the operators behind these ransomware attacks commonly abused two notable vulnerabilities: The CVE-2019-19781 vulnerability (CSVV score: 9.8) affects remote access appliances manufactured by Citrix, whose products are used by many organizations. The vulnerability was publicly disclosed at the end of December 2019 and fixed a month later 35 . The vulnerability affects the Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC. Successful exploitation of the vulnerability could allow an unauthenticated attacker to connect remotely and execute arbitrary code on the affected computer. Since the vulnerability has been disclosed, it was successfully exploited by multiple ransomware gangs, such as REvil, Ragnarok, DoppelPaymer, Maze, and Nephilim in a significant number of incidents 36 . The CVE-2019-11510 vulnerability (CSVV score: 10) affects VPN Pulse Secure products. It allows attackers to remotely access the targeted network, remove multi-factor authentication protections and access the logs that contain cached passwords in plain text. Although the vulnerability has already been publicly disclosed for some time now and patched back in April 2020 37 , many organizations have not yet patched it and remain exposed to attacks. The vulnerability was reportedly successfully exploited in a number of ransomware incidents by the REvil, Netwalker and Black Kingdom gangs 38 . CVE-2019-11510 CVE-2019-19781 https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101/?kA23Z000000KBro https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/; https://www.bleepingcomputer. com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/; https://www.bleepingcomputer.com/news/ security/fbi-warns-of-netwalker-ransomware-targeting-us-government-and-orgs/ https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/ https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/; https:// www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/; https://www. infosecurity-magazine.com/news/it-services-firm-conduent-felled/; https://www.bankinfosecurity.com/nephilim-ransomware-gang- tied-to-citrix-gateway-hacks-a-14480; https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/ 36. 37. 38. 35. 25 | The Ransomware Landscape