Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits

  /     /     /  
Publicated : 23/11/2024   Category : security


Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits


Threat actors such as the operators of the Cl0p ransomware family increasingly exploit unknown and day-one vulnerabilities in their attacks.



The number of organizations that became victims of ransomware attacks surged 143% between the first quarter of 2022 and first quarter of this year, as attackers increasingly leveraged zero-day vulnerabilities and one-day flaws to break into target networks.
In many of these attacks, threat actors did not so much as bother to encrypt data belonging to victim organizations. Instead, they focused solely on stealing their sensitive data and extort victims by threatening to sell or leak the data to others. The tactic left even those with otherwise robust backup and restoration processes backed into a corner.
Researchers at Akamai
discovered the trends
when they recently analyzed data gathered from leak sites belonging to 90 ransomware groups. Leaks sites are locations where ransomware groups typically release details about their attacks, victims, and any data that they might have encrypted or exfiltrated.
Akamais analysis showed that several popular notions about ransomware attacks are no longer fully true. One of the most significant, according to the company, is a shift from phishing as an initial access vector to vulnerability exploitation. Akamai found that several major ransomware operators are focused on acquiring zero-day vulnerabilities — either through in-house research or by procuring it from gray-market sources — to use in their attacks.
One notable example is the Cl0P ransomware group, which abused a zero-day SQL-injection vulnerability in Fortras GoAnywhere software (
CVE-2023-0669
) earlier this year to break into numerous high-profile companies. In May, the same threat actor abused another zero-day bug it discovered — this time in Progress Softwares MOVEIt file transfer application (
CVE-2023-34362
) — to infiltrate dozens of major organizations globally. Akamai found Cl0ps victim count surged ninefold between the first quarter of 2022 and first quarter of this year after it started exploiting zero-day bugs.
Although leveraging zero-day vulnerabilities is not particularly new, the emerging trend among ransomware actors to use them in large-scale attacks is significant, Akamai said.
Particularly concerning is the in-house development of zero-day vulnerabilities, says Eliad Kimhy, head of Akamai security researchs CORE team. We see this with Cl0p with their two recent major attacks, and we expect other groups to follow suit and leverage their resources to purchase and source these types of vulnerabilities.
In other instances, big ransomware outfits such as LockBit and ALPHV (aka BlackCat) caused havoc by jumping on newly disclosed vulnerabilities before organizations had a chance to apply the vendors fix for them. Examples of such day-one vulnerabilities include the
PaperCut vulnerabilities of April 2023
(CVE-2023-27350 and CVE-2023-27351) and vulnerabilities in VMwares ESXi servers that the operator of the ESXiArgs campaign exploited.
Akamai also found that some ransomware operators — such as those behind the BianLian campaign — have pivoted entirely from data encryption
to extortion via data theft
. The reason the switch is significant is that with data encryption, organizations had a chance of retrieving their locked data if they had a robust enough data backup and restoration process. With data theft, organizations do not have that opportunity and instead must either pay up or risk having the threat actors publicly leaking their data — or worse, selling it to others.
The diversification of extortion techniques is notable, Kimhy says. The exfiltration of data had started out as additional leverage that was in some ways secondary to the encryption of files, Kimhy notes. Nowadays we see it being used as a primary leverage for extortion, which means file backup, for example, may not be sufficient.
Most of the victims in Akamais dataset — some 65% of them, in fact — were small to midsize businesses with reported revenues of up to $50 million. Larger organizations, often perceived as the biggest ransomware targets, actually only made up 12% of the victims. Manufacturing companies experienced a disproportionate percentage of the attacks, followed by healthcare entities and financial services firms. Significantly, Akamai found that organizations that experience a ransomware attack had a very high probability of experiencing a second attack within three months of the first attack.
It’s important to emphasize that phishing is still very important to defend against, Kimhy says. At the same time, organizations need to prioritize patching of newly disclosed vulnerabilities. He adds, [T]he same recommendations we have been making still apply, such as understanding the adversary, threat surfaces, techniques used, favored, and developed, and particularly what products, processes, and people you need to develop in order to stop a modern ransomware attack.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits