Software-as-a-service applications emerge as new target for ransomware, report reveals

The report shows that Apple’s iCloud and Microsoft Outlook 365 are among products with the maximum vulnerabilities

Software-as-a-service (SaaS) applications have emerged as a new target for ransomware, and had the highest count of vulnerabilities that were seen trending with active exploits.

“We saw ransomware targeting 12 SaaS products with 47 vulnerabilities. We also found that 19 of these Common Vulnerabilities and Exposures (CVEs) are trending between 2018 and 2020,” pointed out a study report ‘Ransomware Through the Lens of Threat and Vulnerability Management’ by Chennai-based Cyber Security Works (CSW), an official CVE Numbering Authority (CNA), along with RiskSense, a company that provides risk-based vulnerability management.

The report shows that products with maximum vulnerabilities would be Apple’s iCloud, Microsoft Outlook 365, HP’s Application Lifecycle management, Oracle’s Fusion Middleware, Adobe’s Adobe Air, IBM’s Lotus Domino, and Notes. “With the usage of SaaS products increasing, we predict that threat actors will seek out vulnerabilities inherent in these applications and weaponise them systematically,” according to the report.

Vulnerabilities quadrupled

It was found that total vulnerabilities associated with ransomware quadrupled from 57 in 2019 to 223 in 2020. “The number of weaponised vulnerabilities associated with ransomware have quadrupled in 2020 which means organisations need to view vulnerabilities from a ransomware context and patch them continuously,” Ram Swaroop, co-founder, CSW, said.

CSW, which operates out of the IIT Madras Research Park, said the study is important because 89% of Indian IT leaders are concerned about data protection from ransomware. This, with good reason, as there has been a 31% increase in ransomware attacks on Indian organisations during the COVID-19 pandemic in 2020.

NHAI, Apollo Tyres, India Bulls, P & R Group and Delhi Medical Council have been victims of ransomware in the past year and their data is exposed on the dark web.

“A few of the known high profile data breaches in India that impacted critical infrastructure are from sectors including telecom, e-commerce and public sector entities. Dr. Reddy’s, Big Basket, Airtel, Jawaharlal Nehru Port Trust (JNPT), Juspay exposed sensitive data and personal information onto the dark web,” the company said.

You have reached your limit for free articles this month.

Subscription Benefits Include

Today’s Paper

Find mobile-friendly version of articles from the day’s newspaper in one easy-to-read list.

Unlimited Access

Enjoy reading as many articles as you wish without any limitations.

Personalised recommendations

A select list of articles that match your interests and tastes.

Faster pages

Move smoothly between articles as our pages load instantly.


A one-stop-shop for seeing the latest updates, and managing your preferences.


We brief you on the latest and most important developments, three times a day.

Support Quality Journalism.

*Our Digital Subscription plans do not currently include the e-paper, crossword and print.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button