Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits

The number of organizations that became victims of ransomware attacks surged 143% between the first quarter of 2022 and first quarter of this year, as attackers increasingly leveraged zero-day vulnerabilities and one-day flaws to break into target networks.

In many of these attacks, threat actors did not so much as bother to encrypt data belonging to victim organizations. Instead, they focused solely on stealing their sensitive data and extort victims by threatening to sell or leak the data to others. The tactic left even those with otherwise robust backup and restoration processes backed into a corner.

A Surge in Victims

Researchers at Akamai discovered the trends when they recently analyzed data gathered from leak sites belonging to 90 ransomware groups. Leaks sites are locations where ransomware groups typically release details about their attacks, victims, and any data that they might have encrypted or exfiltrated.

Akamai's analysis showed that several popular notions about ransomware attacks are no longer fully true. One of the most significant, according to the company, is a shift from phishing as an initial access vector to vulnerability exploitation. Akamai found that several major ransomware operators are focused on acquiring zero-day vulnerabilities — either through in-house research or by procuring it from gray-market sources — to use in their attacks.

One notable example is the Cl0P ransomware group, which abused a zero-day SQL-injection vulnerability in Fortra's GoAnywhere software (CVE-2023-0669) earlier this year to break into numerous high-profile companies. In May, the same threat actor abused another zero-day bug it discovered — this time in Progress Software's MOVEIt file transfer application (CVE-2023-34362) — to infiltrate dozens of major organizations globally. Akamai found Cl0p's victim count surged ninefold between the first quarter of 2022 and first quarter of this year after it started exploiting zero-day bugs.

Although leveraging zero-day vulnerabilities is not particularly new, the emerging trend among ransomware actors to use them in large-scale attacks is significant, Akamai said.

"Particularly concerning is the in-house development of zero-day vulnerabilities," says Eliad Kimhy, head of Akamai security research's CORE team. "We see this with Cl0p with their two recent major attacks, and we expect other groups to follow suit and leverage their resources to purchase and source these types of vulnerabilities."

In other instances, big ransomware outfits such as LockBit and ALPHV (aka BlackCat) caused havoc by jumping on newly disclosed vulnerabilities before organizations had a chance to apply the vendor's fix for them. Examples of such "day-one" vulnerabilities include the PaperCut vulnerabilities of April 2023 (CVE-2023-27350 and CVE-2023-27351) and vulnerabilities in VMware's ESXi servers that the operator of the ESXiArgs campaign exploited.

Pivoting from Encryption to Exfiltration

Akamai also found that some ransomware operators — such as those behind the BianLian campaign — have pivoted entirely from data encryption to extortion via data theft. The reason the switch is significant is that with data encryption, organizations had a chance of retrieving their locked data if they had a robust enough data backup and restoration process. With data theft, organizations do not have that opportunity and instead must either pay up or risk having the threat actors publicly leaking their data — or worse, selling it to others.

The diversification of extortion techniques is notable, Kimhy says. "The exfiltration of data had started out as additional leverage that was in some ways secondary to the encryption of files," Kimhy notes. "Nowadays we see it being used as a primary leverage for extortion, which means file backup, for example, may not be sufficient."

Most of the victims in Akamai's dataset — some 65% of them, in fact — were small to midsize businesses with reported revenues of up to $50 million. Larger organizations, often perceived as the biggest ransomware targets, actually only made up 12% of the victims. Manufacturing companies experienced a disproportionate percentage of the attacks, followed by healthcare entities and financial services firms. Significantly, Akamai found that organizations that experience a ransomware attack had a very high probability of experiencing a second attack within three months of the first attack.

It’s important to emphasize that phishing is still very important to defend against, Kimhy says. At the same time, organizations need to prioritize patching of newly disclosed vulnerabilities. He adds, "[T]he same recommendations we have been making still apply, such as understanding the adversary, threat surfaces, techniques used, favored, and developed, and particularly what products, processes, and people you need to develop in order to stop a modern ransomware attack."