Ransomware Gangs Increasingly Exploiting 0Day and 1Day Vulnerabilities
Ransomware gangs use a variety of methods for initial access to victims’ networks and while phishing is still one of the most common initial access vectors, researchers at the cybersecurity firm Akamai have identified a trend toward zero-day and day-one vulnerabilities for initial access. Several threat groups are conducting their own research to find exploitable vulnerabilities or are purchasing exploits from gray-market sources.
Ransomware attacks have increased significantly over the past year. Between Q1, 2022, and Q1, 2023 there was a 143% increase in ransomware attacks and there has been a growing trend of data theft and extortion without the use of ransomware to encrypt files. File encryption can cause massive disruption to business operations; however, file encryption is noisy and more resource intensive. Simply accessing victims’ networks, stealing data, and threatening to publish or sell that data is often enough to prompt the victim to pay up. These attacks require fewer resources and are far faster, and are less likely to be detected and blocked by security teams. While data theft was once secondary to file encryption in ransomware attacks, the reverse now appears to be true, with data theft far more effective for extortion than file encryption.
The Clop ransomware group is one of several threat actors to opt for data theft and extortion without file encryption and is also one of the gangs focussing on vulnerability exploitation. The group mass exploited a zero-day vulnerability in Fortra’s GoAnywhere file transfer solution in February 2023 and attacked dozens of companies. Then a few months later, mass exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution to attack hundreds of companies. When claiming responsibility for the attack, a spokesperson for the group claimed that data encryption was an option, but the decision was taken not to encrypt files. KonBriefing is tracking the MOVEit Transfer attacks and says at least 611 organizations were attacked and the records of between 35.8 million and 40.7 million individuals were stolen by Clop.
The Akamai researchers conducted an analysis of the data leak sites of 90 ransomware groups, where the groups publish the names of their victims and release stolen data when ransoms are not paid. The groups often provide details about whether data was encrypted, the amount of data stolen, and how the attack was conducted. The researchers found that in addition to Clop, several other ransomware groups were favoring zero-day and day-one exploits of vulnerabilities in software and operating systems and, like Clop, were conducting research in-house or were seeking and paying for exploits from third parties. Other ransomware operations that have exploited recently disclosed vulnerabilities include LockBit and ALPHV (BlackCat) which rapidly exploited vulnerabilities before vendors could release patches. For example, the PaperCut vulnerabilities CVE-2023-27350 and CVE-2023-27351 and the VMware ESXi hypervisor vulnerability, CVE-2021-21974.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The main sectors targeted by ransomware gangs in the period studied were manufacturing, healthcare, and financial services. The researchers also identified a much higher percentage of attacks on small- and medium-sized firms compared to larger organizations. 65% of the attacks the researchers analyzed were on small- and medium-sized businesses, compared to 12% on larger organizations. The researchers also found a high probability of a victim experiencing a second attack within 3 months of the first.
