Zero-Day Flaws an Evolving Weapon in Ransomware Groups’ Arsenals – Source: securityboulevard.com

Ransomware gangs have for years gotten their malicious payloads into targeted systems primarily through phishing attacks or being dropped as a secondary payload from command-and-control frameworks.

That is changing, according to researchers with cybersecurity and content delivery networking vendor Akamai.

To skirt past defense mechanisms put in place by security teams, threat groups are aggressively exploiting zero-day and one-day vulnerabilities to deploy their ransomware, a shift in technique that helped fuel a 143% year-over-year jump in the total number of ransomware victims in the first quarter, the researchers from Akamai’s Security Intelligence Group wrote in a wide-ranging report released this week.

At the same time, they’re continuing to shift their focus away from simply encrypting files on systems to extortion, exfiltrating the data and threatening to publish it if the victim organization refuses to pay the ransom.

“Vulnerability abuse has grown considerably, both in scope and sophistication,” Akamai Advisory CISO Steve Winterfeld wrote in a blog post.

A More Sophisticated Ransomware Space

The sharp increase in ransomware victims dovetails with the findings from other cybersecurity vendors that show an active and evolving ransomware scene. In a report this week looking at the threat landscape for the first half of the year, Fortinet’s FortiGuard Labs group wrote about increasingly sophisticated and targeted ransomware attacks.

“While ransomware has existed for decades, we’ve witnessed threat actors using more-sophisticated and complex strains in recent years to infiltrate networks, largely thanks to the expansion of Ransomware-as-a-Service (RaaS) operations,” Douglas Jose Pereira dos Santos, director of advanced threat intelligence at Fortinet, wrote in a blog post.

And like Akamai, Fortinet is seeing the numbers climb. Ransomware activity was 13 times higher at the end of the first half of the year than at the beginning. While that was happening, 13% of enterprises detected ransomware on their networks during the first six months this year, compared with 25% five years ago.

“Unfortunately, this isn’t cause for celebration, as it indicates bad actors carrying out more targeted attacks using highly adaptable playbooks,” he wrote.

Akamai’s Winterfeld said ransomware groups are becoming more aggressive in exploiting vulnerabilities, including developing their own zero-day attacks and running their own bug bounty programs – the high-profile LockBit RaaS operation launched its own program last year – to find flaws to abuse.

“Ransomware groups are willing to pay for the opportunity for financial gain, whether it’s to pay other hackers to find vulnerabilities in their software, or to acquire access to their intended targets via initial access brokers (IABs),” he wrote.

Cl0p Riding the Vulnerability Wave

Cl0p is an example of a ransomware group that is using vulnerability exploitation to their favor. LockBit for more than a year has been the dominant player in the field and continued to hold that space in the first quarter, racking almost 250 victims, according to Akamai. However, Cl0p saw the number of victims in Q1 jump nine-fold year-over-year, due in large part to what Winterfeld said was an aggressive strategy of obtaining and developing zero-day vulnerabilities.

Malwarebytes researchers saw the same trend in a report earlier this month. The researchers noted LockBit’s year-plus of dominance, saying that the notorious RaaS group claims to have 100 affiliates and averages about 24 attacks per month in the United States.

However, in March and June, Cl0p surged past LockBit in the number of attacks for those months, abusing zero-days in the Fortra’s GoAnywhere MFT and Progress Software’s MOVEit Transfer, both manage file transfer tools.

“This gave them the ability to launch an unprecedented number of attacks within a short time frame and across a massive scale,” the researchers wrote in a blog post.

More than 130 companies were breached in the GoAnywhere MFT campaign; at last count, the number of known victims of the massive MOVEit attack was 621, affecting as many as 40.8 million individuals.

“The use of zero-day vulnerabilities by ransomware groups like CL0P may trigger a significant shift in ransomware strategies, mirroring the adoption of the ‘double extortion’ tactic in 2019,” they wrote. “If more groups start adopting CL0P’s zero-day exploitation techniques, the ransomware landscape could tilt from service-oriented attacks to a more aggressive, vulnerability-focused model – a move that could skyrocket the number of victims.”