Ransomware has a new driver: zero-day exploits

Read on to find out how ransomware gangs are using zero-days, and what your organization can do to stop them.

Ransomware has been the preeminent cyberthreat for the better part of a decade. What started as a screen locker is now a billion-dollar criminal enterprise, leveraging software-as-a-service affiliates, high ransom demands, and double extortion schemes to balloon profits—mostly at the expense of small and mid-sized businesses (SMBs). Yet as ubiquitous as ransomware has become, its threat actors continue to befuddle security teams and fleece organizations with a revolving door of changing tactics for delivering attacks.  

The latest ransomware threat vector giving IT teams a collective migraine—the ruthless progeny of the vulnerability exploit—the zero-day.  

Consider the 2024 Verizon Data Breach Investigations Report (DBIR), which found 10 percent of all breaches last year involved exploits, an unprecedented 180 percent increase year over year, mostly fueled by the use of zero-days for ransomware attacks. In fact, a single ransomware gang compromised more than 8,000 businesses and is estimated to have pocketed $100 million using just a handful of zero-days.  

Unlike known vulnerabilities with patches available to thwart cyberthreats, zero-days leave organizations at the mercy of cybercriminals as software vendors scramble to correct faulty code. Traditional security software is no match for the zero-day, either. So what can businesses do to protect against zero-day ransomware attacks? Read on to find out how ransomware gangs are using zero-days, and what your organization can do to stop them. Or, if you need assistance now, talk to one of our ThreatDown experts.  

Cheers, 

Marcin Kleczynski  

CEO, Malwarebytes 

How to protect against zero-day ransomware attacks 

In 2017, two of the largest and most destructive ransomware attacks in history, WannaCry and NotPetya, used a zero-day exploit to cripple hundreds of thousands of endpoints at businesses around the world. Security experts at the time wrung their hands worrying about the inevitable zero-day pile-on, with cybercriminals jumping on the bandwagon to spread ransomware unchecked through systems as compromised software companies hurried to develop patches. But before that nightmare scenario could unfold, threat actors pivoted to banking Trojans like Emotet—a classic bait-and-switch that thankfully left the zero-day ransomware siege as nothing more than a sys admin fever dream. 

Fast-forward to today, and the nightmare is now an unfortunate reality. Zero-days and ransomware are a match made in hell, terrorizing small- and medium-sized businesses over the last year with the stealth, speed, and sophistication of a nation-state attack.  

In February 2023, the ransomware gang CL0p used a zero-day to steal data from over 130 organizations, including 1 million patients of Community Health Systems (CHS), one of the largest healthcare providers in the United States. In June of that year, several federal agencies fell victim to the MOVEit exploit, created after a zero-day was discovered in the file transfer app one month before. And in November 2023, ransomware affiliates exploited a zero-day in IT management software SysAid, combining ransomware with Living Off the Land (LOTL) techniques for a perfect storm of attacks. 

In fact, 2023 was a renaissance year for ransomware. Considered a top threat across 92 percent of industries, ransomware saw substantial growth last year, primarily by leveraging vulnerability exploits to initiate breaches. The ThreatDown 2024 State of Malware found the number of known ransomware attacks increased by 68 percent, and average ransom demands climbed precipitously, with the largest at a shocking $80 million. Victim organizations paid a collective $1.1 billion in ransom demands, the highest amount ever recorded. 

Cybercriminal use of exploits to gain initial access nearly tripled in 2023, with a 180 percent increase from the previous year, according to the 2024 Verizon Data Breach Investigations Report (DBIR). Exploits were also the driver in over 90 percent of supply chain breaches, ushering ransomware into organizations with alarming precision.  

But it wasn’t only the method of delivery stunning businesses with stealthy ransomware attacks. Beginning last year and carrying over to 2024, threat actors changed the ransomware game so dramatically, they redefined what it means to be ransomware itself. 

Read also: 

ThreatDown 2024 State of Malware 

CISA insights on remediating vulnerabilities for internet-accessible systems 

How ransomware attacks have changed 

The 2020s have been marked by a shift in ransom demand tactics from small payments exchanged for decryption keys to hefty ransoms not only to unlock files but to keep threat actors from leaking sensitive data to the public. These double extortion schemes have led to record profits for criminals and staggering costs for SMBs. According to the FBI’s Internet Crime Complaint Center (IC3), the median loss associated with ransomware and other extortion breaches over the last three years is $46,000, ranging between just $3 and over $1.1 million. 

The double extortion trend paved the way for radical change in 2023, which saw ransomware actors break away from established norms by abandoning encryption altogether in favor of exfiltration and extortion. That’s right. In many ransomware attacks last year, threat actors didn’t bother deploying actual ransomware. Instead, they focused on stealing sensitive data and extorting target organizations by threatening to sell or post it online. Pure extortion attacks have also risen over the past year and are now a component in 9 percent of all breaches, according to the 2024 Verizon DBIR. This tactic has left businesses—even those with robust backup programs—backed against the ropes. 

Thanks to 2023, any previous assumptions about ransomware are now outdated, including the most popular method for infiltrating organizations’ digital infrastructure. Cybercriminals have shifted away from phishing as the top access vector to exploits—particularly those of the zero-day variety. Several major ransomware gangs are focused on either acquiring zero-days through bug bounty programs, data brokers, and other gray-market sources or developing them in-house.  

This paradigm shift is led by the CL0p ransomware outfit, which in 2023 solved the problem of scalability for ransomware by shaking the security world with a series of short, automated campaigns harnessing zero-days. According to CISA, CL0p was able to compromise more than 8,000 unsuspecting organizations in just a few days. CL0P’s zero-day approach allowed it to outperform even the most practiced Ransomware-as-a-Service (RaaS) group, pocketing an estimated $100 million—a fortune to reinvest in more zero-days for 2024.  

Although cybercriminals have leveraged zero-day exploits in the past, their repeated use by ransomware gangs in large-scale attacks is noteworthy. It signals a new level of sophistication in ransomware, with automation allowing threat actors higher-yielding profits for less effort. Case in point: With just a few weeks of activity, CL0P became the third most active ransomware team of 2023, outstripping rivals that were active every month of the year. Big ransomware groups like LockBit and ALPHV vied for a piece of the 2023 action by using so-called “one-day” exploits, which take advantage of newly-disclosed vulnerabilities before software vendors finish developing patches.  

Despite an international takedown of LockBit in February 2024 and ALPHV’s departure the following month, ransomware shows no signs of stopping this year. In fact, Malwarebytes researchers noted 762 successful attacks in March and April alone. CL0p showed other ransomware gangs they can scale beyond the established boundaries of their industry. And that’s just what we’re seeing today, with a proliferation of new gangs popping up in the wake of LockBit and ALPHV’s downfall. 

With all this change, one rule remains constant: Ransomware continues to be the most significant criminal threat to small and medium-sized businesses. The use of zero-days has left SMBs unable to protect themselves with security patches and traditional malware detection techniques, allowing unfettered access to sensitive information in the wait for an update from vendors. But even known vulnerabilities are a problem for organizations. 

Read also: 

ThreatDown blog: How ransomware changed in 2023 

SMBs and known vulnerabilities 

Zero-day vulnerabilities are flaws in code unknown to their vendors, so there is no patch, mitigation, or fix available to address them. The term “zero-day” refers to the amount of time software developers have to address the flaw before cybercriminals can exploit it. The 2024 Verizon DBIR says it takes an average of 55 days for an organization to remediate 50 percent of their critical zero-day vulnerabilities, and that’s once patches are available. After a full year, 8 percent of zero-days are still not fixed by businesses. But even known, registered vulnerabilities are causing problems for companies. 

Organizations today fail to patch a troublingly high number of known vulnerabilities, leaving them open for exploitation. The 2023 Synopsys Security and Risk Analysis Report found businesses are not regularly applying patches to applications and systems—91 percent of software assessed for risk contained outdated versions of its components—meaning a patch was available but had not been run. This risk is compiled by the fact that vulnerabilities run rampant in open-source code, which is the foundation for most software applications and generative AI models today. According to the 2024 Open Source Security and Risk Analysis (OSSRA) report, at least one vulnerability was found in 84 percent of open-source software code. Codebases containing high-risk vulnerabilities increased by 54 percent this year. 

Less sophisticated ransomware gangs unable to pay for or create their own zero-day exploits instead use known vulnerabilities, preying on the continuing difficulty organizations have with effective patch management. In February 2023, the largest known non-Windows ransomware attack in history compromised thousands of out-of-date VMWare ESXi servers using a two-year-old vulnerability. And in May 2023, MalasLocker ran a campaign targeting Zimbra servers that had gone unpatched for six months. Not to be outdone, the Cactus ransomware group exploited known vulnerabilities in Qlik Sense software in April 2024, using specialized scripts that automate the activation of ransomware through scheduled tasks. 

Between managing endless updates for known vulnerabilities and protecting digital infrastructure from ransomware attacks, IT teams already stretched thin now must worry about defending software and operating systems against zero-days, too. Thankfully, we have some tools that will help. 

Read also: 

ThreatDown blog: Cactus exploits Qlik Sense to deliver ransomware 

ThreatDown blog: May 2024 ransomware review 

ThreatDown EDR Ransomware Rollback 

With ransomware attacks at an all-time high, the ability to swiftly back up sensitive customer and proprietary data is more crucial than ever. While many IT teams use Windows Shadow Volume Copy (VSS) for ransomware backups, the program has some pitfalls, especially when up against zero-day ransomware attacks. VSS may be great for creating snapshots of your data, but it falls short against today’s sophisticated ransomware attacks that target and compromise VSS backups directly. Put simply: If your system is hit with advanced ransomware, VSS backups stored on the same system aren’t safe either.  

Enter ThreatDown EDR Ransomware Rollback—new and improved. 

The ThreatDown EDR Ransomware Rollback feature has been updated to extend the maximum recovery window from 72 hours to 7 full days. The previous three-day limit for reversing ransomware encryption was designed to address common weekend attacks, allowing IT professionals to restore files and functionality by the following Monday. However, with 7-day rollback, IT teams can now approach ransomware recovery with less haste and more time for planning. Given that recovery from ransomware attacks often spans multiple weeks, the option to instantly dial back the clock with Ransomware Rollback is one of the quickest paths to restoring normal operations. 

For more information on ThreatDown EDR Ransomware Rollback, check out this article explaining how it works

And for businesses looking to better combat vulnerability exploits, consider the ThreatDown EDR add-ons, Vulnerability Assessment and Patch Management, which can operate independently or be integrated seamlessly with one another

How to protect against zero-day ransomware 

Zero-days are tricky to defend, since the only way to plug vulnerabilities is to patch them with updates from the compromised software company. Each patch can take an average of 9–15 days to develop, once the vulnerability is disclosed. The actual time to release a patch averages more than 50 days, though a number of factors can influence timing. Organizations should make every effort, then, to stay on top of this patching gap and guard the most common initial access vectors for ransomware attacks. 

To protect against known vulnerability exploits, zero-days, and the ransomware and extortion attacks that use them, SMBs should consider the following security advice: 

General cybersecurity hygiene 

  • Take inventory of assets and data, identifying authorized and unauthorized devices and software. 
  • Block common forms of entry by disabling or hardening remote access tools like remote desktop protocol (RDP) and virtual private networks (VPNs), both which have been utilized to launch massive zero-day ransomware attacks. 
  • Grant admin privileges and access only when necessary, establishing a software allow list that only executes legitimate applications. 
  • Monitor network ports, protocols, and services, activating security configurations on network infrastructure devices, such as firewalls and routers. 
  • Consider increasing application security budget, since many cybersecurity suites focus on infrastructure, networks, and endpoints, leaving vulnerabilities to be mitigated according to individual vendor patching schedules, and not critical business needs. 
  • Stop threats before they infiltrate or infect your endpoints by purchasing endpoint security software like ThreatDown Endpoint Detection and Response (EDR), which prevents intrusions, such as exploits used to deliver ransomware. 
  • Make it harder for intruders to operate inside business infrastructure by segmenting networks, implementing multifactor authentication (MFA), and assigning access rights with prudence. Use ThreatDown EDR or Managed Detection and Response (MDR) to detect unusual activity before an attack can occur. 
  • Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly. Consider using ThreatDown EDR Ransomware Rollback to restore damaged system files. 

Vulnerability assessment and patch management 

  • Thwart zero-day exploits by assessing vendor software for vulnerabilities, either with the help of cybersecurity programs like ThreatDown Vulnerability Assessment or through penetration testing, which helps teams discover vulnerabilities before cybercriminals do. IT/IS admins should report any unknown vulnerabilities to their respective vendors and apply such patches as soon as they become available. 
  • Protect against known exploits with rigorous patch management for software, web applications, and operating systems. When a vendor issues a patch, whether by regular interval or outside the normal release schedule, IT teams should move quickly to deploy it. Overburdened departments can look to security solutions like ThreatDown Patch Management to push out patches on a regular schedule and ensure the latest versions of software are running.  
  • When deploying patches, organizations should prioritize vulnerabilities in the CISA Known Exploited Vulnerabilities (KEV) catalog, since cybercriminals are quick to scan for them after their disclosure. The 2024 Verizon DBIR stated the median time for a CVE-registered vulnerability to have its first internet honeypot scan by threat actors is 5 days. The median time for a non-CVE registered vulnerability, meanwhile, is 68 days. 
  • If organizations are unable to catch and patch newly-registered vulnerabilities, they could prevent zero-day breaches by selecting vendors with better security track records. SMBs should be holding software developers accountable for the security of their products. Request a software bill of materials (SBOM) from potential third-party suppliers, which helps identify potential vulnerabilities or licensing issues that could impact your organization’s security and regulatory compliance. 
  • Look for vendors embracing secure-by-design principles advanced by CISA, which aim to reduce the burden of cybersecurity risk on businesses and shift ownership of outcomes back to software manufacturers. Carefully vet all vendors to ensure their developers not only write secure code and design secure application architecture, but implement robust data entry verification and address vulnerabilities promptly before product release to prevent unauthorized access by ransomware actors. 
  • If interested, sign up for CISA’s ransomware vulnerability warning pilot program 

 
Security for software developers and vendors 

  • Application security should be bolstered by software engineers themselves, who must build in the necessary time to check open-source code for vulnerabilities, program using secure-by-design principles, and test new software for faulty code before pushing out product.  
  • During the design phase, software manufacturers should prepare for how they will respond when a zero-day is discovered in the wild targeting their product. 
  • Software companies must ensure patches are developed as correctly and comprehensively as possible, so threat actors don’t leverage them to create zero-day exploits. Many zero-days are created because existing vulnerabilities aren’t fully patched to begin with.  
  • To meet higher standards of security in development, vendors should embrace radical transparency and accountability by publicly disclosing lessons learned along with patches as quickly as possible. 
  • Vendors should create a Software Bill of Materials (SBOM) to track the code used in each product and keep the list up-to-date with the latest versions released.  
  • Software producers used by the federal government must submit a secure software development attestation form, which requires them to verify the adoption of best practices for secure development. Businesses might consider adopting similar litmus tests for approved vendors. 

It’s becoming harder and harder to defend against increasingly more frequent, sophisticated ransomware attacks—especially if organizations only put out fires as they arise. But if businesses adopt security best practices in tandem with developers who embrace security by design, it may just be ransomware gangs who are left with zero days to attack.