Which operating systems tend to be most vulnerable to ransomware attacks?

In the context of recent cyberattacks/ransomware attacks on key US industries coming out of Russia and elsewhere, which operating systems used by these industries tend to be most vulnerable to ransomware attacks? Mac OS, Microsoft, Linux ? Are they all very vulnerable ?

I think the problem is mostly Windows - because it is by far the most used, and the most used by people who habitually may access the internet or read email. There are some vectors for accessing internet facing machines (usually servers) via vulnerabilities in the OS for linux and Mac, but the number such machines and vulnerabilities is small. The usual vector for getting into systems, the most elementary ransomware, is spread via email attachments or bad websites - and most of those are aimed at PC’s since they are the most common computers reading emails or browsing websites.

the incidence of enterprises using all Macs is very small. The number using Apple Mac-based servers, even smaller. To properly destroy the ability to function in a business environment, the ransomware needs to get at the servers, and 99% of the time the servers are Windows; so ransomware tends to be written to attack Windows PC’s.

(What disease is most likely to spread all across the USA with devastating results? A virus that attacks cows, or one that attacks goats?)

Thanks md-2000. That begs the question why companies don’t transition to safer operating systems such as MacOS. Is is a question of cost?

To properly destroy the ability to function in a business environment, the ransomware needs to get at the servers, and 99% of the time the servers are Windows; so ransomware tends to be written to attack Windows PC’s.

Windows Server is widely used, but nowhere near 99%. Datacenters and large corporations often use highly customized versions of Linux, for which ransomware has been developed.

Cost and compatibility, both hardware and software. It would be too costly to switch to Mac OS, requiring major hardware changes tied [solely] to Apple.

It’s not that Mac OS is necessarily more secure, it’s that the percentage of Mac OS use isn’t a big enough target for (current) ransomware developers. As I stated above, ransomware targeting Linux has been developed and deployed: https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html And if Mac OS had significant business usage, it would be a bigger target.

I’ve no idea. But I suspect the more popular a system is, the more people try to look for vulnerabilities.

Whilst the actual software payload used to implement a ransomware attack might be most popularly seen to attack Windows, that is just the final implementation. Software exists to attack Unix and MacOS. The thing is that ransomware does not, in general, need to exploit vulnerabilities in the computer operating system. It just needs to get itself onto the system.

The security vulnerabilities exploited are in the wetware operating system between the ears.

A major reason is the availability of specialized business application software–a great deal more is written for Windows than for MacOS.

Exactly. It’s the user. Plus the fact that corporations don’t take security seriously.

The breech on the oil pipeline was initiated from an account from an employee who left the company, but his account was never disabled. And he used the same password for all his accounts.

Once a hacker gets access to the system, the OS doesn’t matter.

Human fallibility and inaction are much bigger vectors for ransomware and other exploits than OS’s are. Lack of patching, poor passwords, shared passwords, reused passwords and insufficient training are much bigger factors in successful compromises. Add to that increasingly sophisticated social engineering and phishing. A large part of my organization’s security efforts is given over to education and awareness.

Not explicitly mentioned, although SomeDeadSinger touched on it when he mentioned patches, is that a lot of enterprises are running on hideously outdated versions of OS (especially windows), which means there are published, known vulnerabilities that can be abused.

For a home user, you may end up buying a new PC before your OS goes out of support, but a lot of companies who are paying huge amounts of $$$ for licenses will put it off to the last moment (or after). And/or they have personalized software that is only compatible with an obsolete OS, so they keep running it on machines that may or may not be outward facing, and then . . . well, none of this is nearly as much of an issue as the already well-discussed failure of the software between the ears of the end users.

At this point I could believe that as a user OS Windows is as secure or better than Linux and MacOS. Windows is the most popular OS for non-power users and thus the easiest to exploit.

Yeah, the servers don’t need to be any specific OS for ransomware - all it needs is to run on client machines under user accounts that have broad permissions (like for example management individuals who have successfully argued that their status and role means they should have full access to everything)

And if security had been on top of their game and made sure that that guy’s account had been shut down properly, the result would have been… absolutely nothing. There would have been no sign of an attempted breach, the person who was in charge of locking down accounts would have nothing to brag about on their performance review to justify their job. And management would feel justified in considering information security to be a pure cost centre and trimming it as much as possible.

No hijack intended, but this is the nature of every aspect of IT. If the servers and network and workstations and software and internet are functioning as intended, then the IT staff is doing what they’re being paid to do, and no recognition or attaboy is necessary. But if something goes wrong, obviously IT screwed up.

As others have stated, if just one person clicks on a link contained in an email, it doesn’t matter how tight your security might be…it’s just been compromised.

Just to note - it could be any part of the chain that went wrong here. When I worked in IT, I frequently had to badger managers to complete their leaver process so it would trigger the workflow for shutting down accounts etc - they were supposed to do it, but they just didn’t. If it wasn’t for me walking past an empty desk with ‘We’ll Miss You!!’ banners on it and asking ‘oh, did Jane leave?’, there would have been no leaver request, and jane’s account would stay open longer than it should.

And that only worked because it was a small company where I could notice that a person had left. Worse, I worked once in a small company with high standards that was acquired by a large company with… shall we say less high standards. Our HR person went on a tour of the new group organisation and within a week, had found numerous cases where people had left the company months, in one case, years ago, and were still on the payroll.

And it’s possible that a disgruntled employee accidentally on purpose clicks on such a link

The most vulnerable operating system is one that is not up to date on security patches, regardless of whether it is proprietary or open source, how popular it is, or who wrote it.

Yes, just clicking on the link, combined with the resistance many places, and among many users, to install updates, and some unwanted download can step its way through a series of vulnerabilities to take over the local machine, and from their anything vulnerable on the network.

Security takes continuous input of time, energy, and money. This will inconvenience people who are just trying to do their job, it will sometimes break things, and (the dreaded) make things look different. Even with all of that, the attackers only have to win once.

And we’ve had threads about this many times: “I still want to run Windows ME but my banking web site wants something newer than IE 6”. Regardless of the haranguing from the IT pros of the Dope, people don’t want to upgrade because reasons. They don’t want to download patches, they don’t want to wait for a reboot.

Now imagine you run a meat processing plant or an oil pipeline with a 10 year old operating system that has a) tons of known security flaws and b) no security patches. You just left your keys in the car, the door open, and the engine running, probably with your baby in the back seat.

Ehhh, Windows is a lot more secure than it once was, but I don’t see how saying it is more secure than the others can be true. The main benefit of Windows as a target besides its ubiquity is that it’s fairly monolithic. If you get access to a Windows box, especially in a corporate environment, you can expect the Office suite is installed, and probably other programs as well. On Linux/Unix, and a lesser extent on Mac (which yes, is a kind of Unix), you don’t have that certainty. A Linux box comes with a much smaller default set of applications outside of the operating system.

On top of that, you can build Linux yourself, and straight up remove things from the operating system that you aren’t using. When I worked at a web hosting company, rootkits that depended on inserting kernel modules were very popular for attackers. However, they didn’t work on our systems. Before they had become popular, our CTO had decided we would use a monolithic kernel, and the tools for inserting modules were not there. It made it a little bit of a pain when we switched hardware, but it was otherwise an easier to maintain system, and it prevented that particular class of rootkits from being anything but an annoyance.

So, no. Windows is a lot better than it used to be, but it’s still Windows. I’d say it’s the “most” vulnerable, but that’s mostly because it’s the target an attacker is most likely to see. There are other parts of the system that don’t help, but it’s ubiquity is still the part that makes it the most likely to be compromised in a ransomware attack.