© 2022 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

Who is ahead – the ransom hunters or the cybersec industry?


Ransomware gangs are changing up their tactics to go after fewer targets for higher payouts, streamlining their operations to get ‘more bang for their buck’ in the wake of tighter cybersecurity. And yet cyber crooks are still profiting from companies’ lax defenses, using old bugs that have already been exposed to extort money from them.

The average ransom payment during the final three months of 2021 doubled on the previous quarter to $322k, according to cybersecurity firm Coveware. The researcher suggested that this was due to criminals – spooked by the recent evolution in cybersecurity – cutting the number of attacks and compensating by demanding higher ransoms on each one.

The Biden administration’s crackdown in the wake of the Colonial Pipeline attacks last year – along with Russia’s historic cooperation with the US to bust the infamous REvil ransomware gang – are thought to be key drivers behind jittery cyber crews reducing risk by conducting fewer operations.

New money from old tricks

And yet it would appear that cybersecurity is not always so watertight as the above narrative suggests. Cyber researchers at Digital Shadows recently found that exploits relating to the ProxyShell bug – uncovered by researchers last July – are still being used by ransomware gangs. That means some firms recently held to ransom by threat actors had half a year to patch their defenses but failed to do so.

Digital Shadows added that some bad actors are still taking advantage of even older bugs that have not been identified and patched by companies. The research identified 87 uncovered exploits being used in ransomware attacks during the final quarter of 2021.

For instance, the CVE-2012-0158 Microsoft bug has been in circulation for years, but was still being used by ransomware groups last year, the report found. The malware allows threat actors to hijack Microsoft Word or Excel and force these programs to execute malicious code – as recently as 2020, it was identified as a top tool of choice for ransomware gangs.

Another notable ‘golden oldie’ making a comeback is the CVE-2019-7481 bug, an SQL injection vulnerability affecting SonicWall Secure Remote Access 4600 devices. The exploit is thought to be enjoying a revival due to increased reliance on remote services in the wake of the COVID pandemic.

High-profile cybercriminal groups such as Conti have not been slow to capitalize on older exploits either, dusting off CVE-2018-12808 to target Adobe Acrobat Reader and deliver ransomware via phishing emails and malicious PDFs.

Firms must stay alert

Experts have echoed these findings, calling on businesses to be more timely in investigating and disposing of weaknesses in their cyber defenses.

“Unfortunately, what causes damage down the line after a ransomware attack is if the organization does not understand how they were susceptible to infection in the first place,” said Mark McCain, head of computer software company SailPoint.

“If a company doesn't learn this the first time, the real risk factor is putting a bullseye on its back. We've seen this repeatedly – threat actors will walk right back in through the front door they used the first time if you continue to leave it open.”

Marcus Fowler, head of strategic threat at cybersecurity firm DarkTrace, called for greater awareness and information sharing, pointing to last year’s major ransomware attack on Colonial Pipeline as a wake-up call for the industry.

“There must be higher expectations and new requirements for reporting, customer notifications and executive responsibility after a successful ransomware attack,” he said. “Case in point – [US President Joe] Biden’s cybersecurity executive order came days after the crippling incident and shortly before Colonial Pipeline’s CEO testified before Congress.”

More from CyberNews:

Attackers use a 20-year-old trick for phishing Microsoft 365 users | CyberNews

Relentless cohort of potentially dangerous attackers continue to make noise around Log4Shell | CyberNews

Can the ransomware task force stem the tide of attacks? | CyberNews

What is Ransomware? | CyberNews

Ransomware gold rush: why now? | CyberNews

Subscribe to our newsletter



Leave a Reply

Your email address will not be published. Required fields are marked