Sophos News

Unpatched Vulnerabilities: The Most Brutal Ransomware Attack Vector

To deploy a ransomware attack, adversaries must first gain access to a victim’s corporate environment, devices, and data. Threat actors typically use two main approaches to gain entry: logging in using compromised credentials, i.e., legitimate access data that had previously been stolen, and exploiting vulnerabilities in applications and tools used by the business. Other less common modes of entry include brute force attacks, supply chain compromise, malicious emails/documents, and adware. Phishing features heavily in ransomware attacks but is primarily used to steal the credentials later used to log in to the organization.

Click above to download the free report

This report highlights how ransomware outcomes differ depending on the root cause of the attack. It compares the severity, financial cost, and operational impact of attacks that start with an exploited vulnerability with those where adversaries use compromised credentials to penetrate the organization. It also identifies the industry sectors most and least commonly exploited.

The findings are based on a vendor-agnostic survey commissioned by Sophos of 2,974 IT/cybersecurity professionals in small and mid-sized organizations (100-5,000 employees) that had been hit by ransomware in the last year. The survey was conducted by independent research agency Vanson Bourne in early 2024 and reflects respondents’ experiences over the previous 12 months.

>> Download the PDF copy of the report

Executive summary

While all ransomware attacks have negative outcomes, those that start by exploiting unpatched vulnerabilities are particularly brutal for their victims. Organizations hit by attacks that began in this way report considerably more severe outcomes than those whose attacks started with compromised credentials, including a higher propensity to:

They also reported:

The study focuses on correlation, and further exploration is needed into reasons behind these outcomes. It’s important to bear in mind that not all ransomware attacks are equal. Some are executed by sophisticated, well-funded gangs using a range of innovative approaches. At the same time, the use of crude, cheap ransomware by lower-skilled threat actors is on the rise. It may be that adversaries that are able to exploit unpatched software vulnerabilities are more skilled than attackers who buy stolen credentials from the dark web (for example), and therefore better able to succeed in compromising backups and encrypting data.

One-third of ransomware attacks start with an unpatched vulnerability

32% of ransomware attacks experienced by the survey respondents in the past year started with an exploited vulnerability. Diving deeper, we see that the proportion of ransomware attacks that began in this way varies considerably by industry:

This variation is likely impacted, in part, by the different technology solutions used and their associated patching challenges. Sectors such as energy, oil/gas, and utilities typically use a higher proportion of older technologies more prone to security gaps than many other sectors, and patches may not be available for legacy and end-of-life solutions.

At the same time, more often than not, patches are available – they just haven’t been applied. Of the attacks that Sophos incident responders were brought in to remediate in 2022 that started with exploited vulnerabilities, over half (55%) were caused by ProxyShell and Log4Shell — both of which had existing patches at the time of compromise. Sophos continues to see ProxyShell being exploited 30 months after the release of the patch. Learn more.

The analysis also revealed that the propensity to experience an exploit-led attack varies by organization size:

As organizations grow, their IT infrastructures tend to grow with them. The larger the environment, the greater the challenge in understanding the attack surface and the more tools and technologies that need to be maintained.

Ransomware impacts are more severe when the attack starts with an exploited vulnerability

The final goal for a ransomware actor is to encrypt an organization’s data and extract a ransom payment in return for the decryption key. On the way, they almost always attempt to compromise their victim’s backups to reduce their ability to restore data without paying.

The analysis reveals that across all three points – backup compromise, data encryption, and ransom payment – the impacts are most severe when the attack starts with an exploited vulnerability.

Backup compromise

There is no difference in attackers’ propensity to attempt to compromise backups based on the root cause. Adversaries tried to compromise them in 96% of attacks that started with exploited vulnerabilities and compromised credentials. However, there is a considerable difference in their success rate:

This may be because adversaries who leverage unpatched vulnerabilities are more skilled at breaching backups. It may also reflect that organizations with an exposed attack surface have weaker backup protection. Whatever the cause, having your backups compromised reduces resilience against the full impact of the attack.

Data encryption

Organizations are more than 50% more likely to have their data encrypted when an attack starts with an exploited vulnerability rather than compromised credentials:

As with backup compromise, the difference in outcome by root cause may reflect differing skill levels in adversary groups and differences in the overall strength of an organization’s cyber defenses.

Ransom payment rate

Given the higher rate of backup compromise reported when the attack started with an exploited vulnerability, it’s perhaps no surprise that this group reported a higher propensity to pay the ransom:

Without backups to recover from, the pressure on ransomware victims to access the decryption key increases, likely driving organizations to work with the attackers to restore data.

Unpatched vulnerabilities have business-critical consequences

Ransomware attacks that start with an exploited vulnerability have considerably greater financial and operational impact than those that begin with compromised credentials.

Ransom payment

While the attack root cause has an almost negligible impact on the ransom payment sum, with the median amount coming in at $1.988M (exploited vulnerabilities) and $2M (compromised credentials), it does have a considerable impact on the funding of the ransom payment:

Parent companies and cyber insurance providers are more likely to contribute to the ransom when the attack starts with compromised credentials rather than an exploited vulnerability.

Looking more broadly at the propensity of insurance carriers to honor claims we see that one quarter (25%) of denied claims by organizations that experienced an exploited vulnerability were due to not having the required cyber defenses for the claim to be honored, compared to 12% of claims where adversaries used compromised credentials.

Recovery cost

The ransom is just one element that contributes to the overall recovery cost from a ransomware attack. Leaving aside any ransom paid, the median overall recovery cost for ransomware attacks that start with an exploited vulnerability ($3M) is four times greater than for those that begin with compromised credentials ($750K).

Recovery time

Recovering from an attack that starts with an exploited vulnerability is typically much slower than when the root cause is compromised credentials.

This finding likely reflects the different remediation activities that victims need to undertake depending on the root cause, and their respective operational overheads. Patching a system or upgrading from an end-of-life product to a supported version may well be more time-consuming than resetting credentials. It may also be a result of the greater damage caused by exploited vulnerability attacks, including a greater likelihood of backup compromise and data encryption.


Patching is a vital first step in reducing the risk of falling victim to a ransomware attack (or any other breach) that starts with an exploited vulnerability. If you fix the security gap, adversaries can’t exploit it. It should ideally be part of a broader exploit-prevention risk management strategy:

Minimize your attack surface

Deploy anti-exploit protections

Detect and respond to suspicious activities

How Sophos can help

Sophos Managed Risk

Sophos Managed Risk is a vulnerability and attack surface management service powered by industry-leading Tenable technology and delivered by a dedicated team of Sophos threat exposure and remediation experts. It addresses four critical use cases: attack surface visibility, continuous risk monitoring, vulnerability prioritization, and fast identification of new risks.

Sophos Managed Risk is available with Sophos MDR, a fully managed cybersecurity service delivered 24/7 by Sophos threat experts. A dedicated team of Sophos Managed Risk operators – highly skilled in vulnerabilities and threat exposures – works closely with Sophos MDR analysts around the clock.

Sophos Endpoint

Sophos Endpoint includes more than 60 anti-exploitation capabilities that block the behaviors adversaries use to exploit an unpatched vulnerability, stopping both known vulnerabilities and zero-day threats. The anti-exploit capabilities deploy automatically from day one with no configuration or need for fine tuning.

Sophos Endpoint takes a comprehensive approach to protection without relying on one security technique. Web, application, and peripheral controls reduce your threat surface and block common attack vectors. AI, behavioral analysis, anti-ransomware, and other state-of-the-art technologies stop threats fast before they escalate.

>> Download the PDF copy of the report