"I've tested 135 [ransomware] websites, and I only found vulnerabilities in three of them," Stykas told us in an interview preceding his Black Hat talk. That amounts to less than 3 percent of ransomware groups having vulnerable web applications, which are typically used by threat actors to dump stolen data and publish ransom notes.

"That's not typical of businesses, where I usually find vulnerabilities in 40 to 50 percent of web apps," Stykas added.