A study conducted by Akamai revealed that the number of organizations falling victim to ransomware attacks has skyrocketed by 143% between the first quarter of 2022 and the first quarter of this year. The increase in attacks can be attributed to cybercriminals exploiting zero-day vulnerabilities and one-day flaws to gain unauthorized access to target networks.
Interestingly, many of these attacks did not involve encrypting the data belonging to the victim organizations. Instead, the threat actors focused on stealing sensitive information and extorting the victims by threatening to sell or leak the data to others. This tactic proved to be particularly effective, as even organizations with robust backup and restoration processes found themselves backed into a corner.
The researchers at Akamai discovered these alarming trends while analyzing data from leak sites associated with 90 ransomware groups. Leak sites are platforms where ransomware groups typically share details about their attacks, victims, and any data that they have encrypted or exfiltrated. The analysis conducted by Akamai debunked several popular beliefs about ransomware attacks, including a shift from phishing as the primary attack method to vulnerability exploitation.
Akamai’s findings revealed that numerous major ransomware operators are now focused on acquiring zero-day vulnerabilities. These vulnerabilities, obtained through in-house research or purchased from gray-market sources, are then utilized in their attacks. One notable example is the Cl0P ransomware group, which exploited a zero-day SQL-injection vulnerability in Fortra’s GoAnywhere software to infiltrate multiple high-profile companies. After discovering another zero-day bug in Progress Software’s MOVEIt file transfer application, the Cl0P group further increased its victim count by ninefold.
While leveraging zero-day vulnerabilities in ransomware attacks is not entirely new, the emerging trend of using them in large-scale attacks is a cause for concern. Akamai’s Eliad Kimhy, head of Akamai’s security research CORE team, stated, “Particularly concerning is the in-house development of zero-day vulnerabilities. We see this with Cl0P with their two recent major attacks, and we expect other groups to follow suit and leverage their resources to purchase and source these types of vulnerabilities.”
In addition to exploiting zero-day vulnerabilities, other ransomware groups such as LockBit and ALPHV have been quick to exploit newly disclosed vulnerabilities. These ransomware outfits take advantage of vulnerabilities before organizations have a chance to apply the vendor’s fix. For example, the PaperCut vulnerabilities of April 2023 and the vulnerabilities in VMware’s ESXi servers were promptly targeted by attackers, causing significant damage.
Another significant finding from Akamai’s study is that some ransomware operators, such as those behind the BianLian campaign, have completely shifted from data encryption to extortion through data theft. In the past, organizations had a chance to recover their encrypted data by relying on their backup and restoration processes. However, with data theft, victims are left with no choice but to either pay the ransom or risk having their data publicly exposed or sold to other malicious actors.
The diversification of extortion techniques is a notable development in the ransomware landscape. Kimhy highlights the growing importance of prioritizing patching efforts to address newly disclosed vulnerabilities. He emphasizes that while phishing attacks should not be neglected, organizations need to focus on understanding the adversary, their techniques, and the necessary products, processes, and people required to fend off modern ransomware attacks.
Akamai’s dataset revealed that the majority of ransomware victims (65%) were small to midsize businesses with reported revenues of up to $50 million. Surprisingly, larger organizations, often considered prime targets, accounted for only 12% of the victims. Among the most heavily targeted sectors were manufacturing companies, followed by healthcare entities and financial services firms. Notably, organizations that experienced a ransomware attack had a significantly high probability of experiencing a second attack within three months.
In conclusion, the sharp rise in ransomware attacks, driven by the exploitation of zero-day vulnerabilities and one-day flaws, poses a significant threat to organizations worldwide. The shift towards data theft as a primary means of extortion and the evolving tactics employed by ransomware operators call for a proactive approach to cybersecurity. By understanding the adversaries and their techniques, prioritizing patching efforts, and investing in robust security measures, organizations can better defend against modern ransomware attacks.