Ransomware actors hit zero-day exploits hard in 2023

Ransomware operators were especially successful targeting critical zero-day vulnerabilities in widely used IT products.

Last year’s surge in ransomware attacks was driven in part by zero-day exploit sprees targeting the MOVEit and GoAnywhere file-transfer services, Citrix networking devices and print management software PaperCut, according to Unit 42.

Unit 42's analysis discerned a correlation between an upsurge in posts on ransomware leak sites and the periods when these four vulnerabilities were most heavily exploited. However, they caution that the volume of posts on these leak sites does not necessarily provide an exhaustive or accurate representation of the ransomware landscape.

Certain ransomware groups initiate operations without resorting to these 'name and shame' sites. Furthermore, organizations that promptly acquiesce to ransom demands often remain unlisted on a group’s leak site. Consequently, the true extent of ransomware attacks may vary significantly from what is suggested by these platforms, as noted by Unit 42 in their report.

Blockchain analysis company Chainalysis echoed similar concerns about tracking ransom payments. The firm stated, "The ransomware landscape is not only prolific but continually expanding, making it challenging to monitor every incident or trace all ransom payments made in cryptocurrencies."

Federal cyber officials have consistently emphasized the need for more comprehensive and timely information on attacks as they unfold. A pervasive lack of reporting by victims of ransomware attacks impedes law enforcement's ability to take effective action, allowing for a significant portion of criminal activity to persist undetected in the shadows.

Cyber Security Dive​ 02/08/2024