Zero-Days are the Delivery Vector of Choice for Today’s Ransomware Groups

In the ever-evolving landscape of cybercrime, the strategies adopted by ransomware groups are undergoing a significant transformation. A notable shift has been observed in the tactics used by these criminals to infiltrate systems and hold data for ransom. Historically, phishing had been the preferred method for breaching systems, exploiting human vulnerabilities to gain access.

Over the past year, ransomware actors have been increasingly gravitating towards zero-day vulnerabilities and one-day flaws to execute their attacks. This shift has led to a staggering 143% surge in ransomware victims between the first quarter of 2022 and the corresponding period this year, as highlighted in a recent report by Akamai.

The New Game: Zero-Day Exploits and Data Exfiltration

The modus operandi of modern ransomware groups is characterized by a sophisticated and calculated approach. These malicious actors either develop attack vectors internally or procure access to systems known to have vulnerabilities. Alternatively, they invest in creating or acquiring zero-day exploits specifically designed to target susceptible systems.

Once a breach is achieved, the attackers engage in data exfiltration, using the stolen information as leverage for extortion. Unlike the traditional approach of encrypting data and demanding payment for decryption, they now opt for a more insidious tactic. Rather than locking the data, they threaten to expose it, potentially auctioning sensitive information to the highest bidder if their demands are not met. And often, even if they are.

The Evolution of Defensive Measures

The corporate response to ransomware threats has also evolved over time, reflecting a growing awareness of the need for proactive defense. Organizations have invested in enhancing their data backup and recovery strategies, thereby reducing the operational impact of potential ransomware attacks. While this countermeasure has proven effective to a certain extent, it falls short of preventing the exposure of sensitive data.

In response, ransomware groups have adjusted their tactics by focusing on the threat of data exposure in addition to encryption. Consequently, even with a robust backup system in place, the risk of data that is proprietary or protected by privacy regulations circulating illicitly on the dark web remains a pressing concern.

The Expanding Ripple Effect

The repercussions of a successful ransomware attack extend far beyond the immediate victim. Ransomware groups have demonstrated a growing tendency to not only target organizations directly but also to reach out to the victim’s customers. By informing these customers about the data breach, the attackers amplify the impact of their actions, creating a ripple effect of distrust and insecurity that resonates throughout entire networks of stakeholders. Add to that, victims are now nearly six times more likely to be targeted again within the first three months, highlighting the alarming speed at which information spreads within criminal circles.

The Unanticipated Targets

Contrary to popular assumptions, ransomware attackers do not focus primarily on high-profile, well-known entities. Instead, they often exploit vulnerabilities within smaller organizations that may have weaker cybersecurity defenses and are therefore easier targets. A telling statistic from Akamai’s report reveals that approximately 65% of ransomware victims are businesses with less than $50 million in annual revenue. In contrast, large corporations with over $500 million in revenue account for a mere 12% of victims. This pattern challenges dominant notions about the targets of ransomware attacks and underscores the critical importance of cybersecurity readiness for organizations of all sizes.

Identifying Vulnerable Sectors

Certain sectors have emerged as prime targets for ransomware groups due to their susceptibility to attack. Manufacturing, constituting around 20% of all ransomware targets, has witnessed a particularly high rate of attacks.  Manufacturing is not necessarily being targeted more: it’s that attackers have recently enjoyed greater success within the vertical.

The second most targeted sector is business services, comprising 11% of victims, indicating that here, too, there are likely to be vulnerabilities within the supply chain. Retail follows closely behind with 9% of victims, underscoring the critical need for bolstering cybersecurity in these industries.

---

Share this on:

---

About Peter Silva

Peter Silva is the Sr. Product Marketing Manager at Ericom, the Cybersecurity Unit of Cradlepoint. After a decade working in the professional theater, he became one of the first 6 Internet Specialists at AT&T, focusing on access and security. Over the years, he’s been recognized for his stellar record of captivating audiences with engaging presentations and high-quality content. Along with AT&T, he’s held positions at Verio, Exodus, Pacific Wireless Corp and F5.