Ransomware victim numbers surge as attackers target zero-day vulnerabilities

The use of zero-day and one-day vulnerabilities has led to a 143% increase in total ransomware victims between Q1 2022 and Q1 2023, according to new research from cloud security vendor Akamai. The firm’s Ransomware on the Move: Exploitation Techniques and the Active Pursuit of Zero-Days report, based on findings collected from the leak sites of approximately 90 different ransomware groups, outlines the evolving tactics of ransomware threat actors.

Along with highlighting a considerable growth in vulnerability abuse, the report also found that ransomware groups are increasingly targeting the exfiltration of files – the unauthorized extraction or transfer of sensitive information – which has become the primary source of extortion. What’s more, victims of multiple ransomware attacks are almost six-times more likely to experience a second attack within three months of the first, with smaller organizations at higher risk of being targeted by ransomware generally, according to the report.

Ransomware remains one of the biggest, most dangerous attack threats organizations face. During the second quarter of 2023, the Cisco Talos Incident Response (IR) team responded to the highest number of ransomware engagements in more than a year. Likewise, the latest ReliaQuest Ransomware & Data-Leak Extortion report revealed a large surge in ransomware activity in Q2. This quarter set the record for the most victims ever recorded being named to ransomware data-leak sites, an increase of 540 victims compared to the previous quarter, according to the research.

Ransomware groups shift to zero-day exploitation

Ransomware groups are shifting their attack techniques from phishing to putting a greater emphasis on vulnerability abuse, which has grown considerably both in scope and sophistication, the report read. Groups have also become more aggressive in their methods of vulnerability exploitation, such as through in-house development of zero-day attacks and bug bounty programs, it added. There is evidence of an increasing willingness to pay for the opportunity to exploit vulnerabilities, too, whether it’s to pay other hackers to find vulnerabilities that can be used in attacks, or to acquire access to their intended targets via initial access brokers (IABs). Although leveraging zero-day vulnerabilities is not new, it is notable that ransomware groups are seeking or researching vulnerabilities and abusing them on a large scale to compromise hundreds or even thousands of organizations, Akamai said.

The notorious ransomware group CL0P has demonstrated an aggressive pursuit of the attainment and development of zero-day vulnerabilities in-house recently, the report read. This has proven to be a successful strategy, with CL0P growing its number of victims nine-fold in 12 months.

LockBit dominates ransomware attack landscape

LockBit is dominating the ransomware attack landscape with 39% of total victims (1,091 victims). That is more than triple the number of the second-highest ranked ransomware group, ALPHV (Blackcat). LockBit has risen significantly in the absence of the previous front-runner, Conti, the report stated. Its success is due to its enhancements, including the introduction of novel techniques in its latest 3.0 version such as a bug bounty program and the use of Zcash cryptocurrency as a payment mode.

To exert more pressure on their victims, the attackers behind LockBit have started reaching out to the victim’s customers, informing them about the incident, and employing triple extortion tactics with the inclusion of distributed denial-of-service (DDoS) attacks, Akamai found.

Ransomware groups prioritize file exfiltration

Ransomware groups are increasingly targeting the exfiltration of files – the primary source of extortion – as seen with the recent exploitation of GoAnywhere and MOVEit. Attackers try to maximize their damage while minimizing and modernizing their efforts, employing many different extortion tactics to intimidate their victims into paying the ransom demands. Attackers are finding more success in data theft extortion instead of just in encrypting their intended target’s files, the report read. This underscores the fact that file backup solutions, though effective against file encryption, are no longer a sufficient strategy, Akamai stated.

Ransomware victims may quickly face subsequent attacks

One victimized by ransomware, organizations face a higher risk of a second attack shortly after, according to Akamai’s report. In fact, victims attacked by multiple ransomware groups are almost six-times more likely to experience a subsequent attack within the first three months than after more time has passed, it said. While a victim company is distracted by remediating the initial attack, other ransomware groups – likely scanning for potential targets and monitoring the activities of their competitors – can also leverage this window of opportunity and hit the same company, the firm stated.

Being attacked once and paying the ransom does not guarantee an organization’s safety either – rather, it increases the likelihood of being hit again by the same group or multiple groups, Akamai warned. If the victim organization hasn’t closed gaps in their perimeter/remediated the vulnerabilities abused by attackers to breach their networks the first time, chances are, they will be used again. Also, if the victim chooses to comply with the ransom demands, they may then be viewed as potential targets by the same group, and others.

Smaller organizations at higher risk of ransomware

Organization size and revenue are playing a part in current ransomware attacks trends, too, the report stated. There is an assumption that larger enterprises with bigger revenue are more likely to be targeted than other organizations because they present a higher payoff and, therefore, a more enticing target. However, Akamai’s analysis of victims by revenue illustrated a different picture. Businesses with reported revenue of up to $50 million dollars were the most at risk of being targeted (65%) while organizations with reported revenue above $500 million dollars made up just 12% of total victims, it read.

Akamai surmised that lower revenue companies are more vulnerable to attacks because their environment is easier to infiltrate, with limited security resources to combat the hazards of ransomware. At the same time, they have the capacity to pay the ransom to avoid business disruption and possible revenue loss.

Manufacturing most impacted sector, attacks on financial services increase

The report names the manufacturing sector as the vertical with the most victim organizations (20%) affected by ransomware attacks, followed by business services (11%) and retail (9%). However, financial services organizations saw an increase of 50% in the total number of impacted businesses year over year. While these findings do not necessarily indicate that manufacturing experiences more attacks than other industries, attackers are clearly finding success in targeting this industry. Meanwhile, business services being the second highest in the list of ransomware victims underscores the potential for supply chain attacks.

Ransomware mitigation must be as multifaced as attacks

Today’s ransomware attacks are multifaceted, including numerous stages and tactics. Ransomware prevention and mitigation must therefore span several different approaches and products, according to Akamai. To mitigate the ransomware threat effectively, organizations should:

Adopt a multilayered approach to cybersecurity to address threats throughout the different stages of attack and across various threat environments.

Employ network mapping and segmentation to identify and isolate critical systems and limit network access to and from those systems. This limits the lateral movement of any malware should a breach occur.

Keep all software, firmware, and operating systems up to date with the latest security patches. This helps mitigate known vulnerabilities that ransomware may exploit.

Maintain regular offline backups of critical data and establish an effective disaster recovery plan. This ensures the ability to restore operations quickly and minimize the impact of a ransomware incident.

Develop and regularly test an incident response plan that outlines the steps to be taken in case of a ransomware attack. This plan should include clear communications channels, roles, and responsibilities, and a process for engaging law enforcement and cybersecurity experts.

Conduct regular cybersecurity awareness training to educate employees about phishing attacks, social engineering, and other common vectors used by ransomware threat actors. Employees should be encouraged to report suspicious activities promptly. This training should extend to policies and procedures for both working with vendors that are physically on site and interacting with company systems remotely. All vendors and suppliers should also be required to undergo this training before accessing sites or systems.