Jan 23, 2024 - Technology

Exclusive: How the cops are boxing in ransomware hackers

Illustration of binary code under a box trap

Illustration: Sarah Grillo/Axios

The end of ransomware gangs' reliance on critical security flaws could be near, according to a new report shared exclusively with Axios.

Why it matters: Ransomware hackers have had to turn to so-called zero-day vulnerabilities to help launch their attacks, in part because of the success of law enforcement in the last year.

Driving the news: Symantec, the threat intelligence team at semiconductor manufacturer Broadcom, released a report today detailing how ransomware gangs became reliant on zero-day flaws after law enforcement botnet takedowns.

  • But the report also says this vulnerability-heavy attack cycle could peter out in 2024 as hackers rebuild their own tools.

What they're saying: "As time goes on in 2024, more and more organizations [will] have patched their Citrix environment, their Exchange environments and whatever else is being used right now," Vikram Thakur, technical director at Symantec, told Axios.

  • "Barring the disclosure of yet another vulnerability in one of these major publicly available services, we'll see the needle slide back into the reliance of ransomware on botnets."

The big picture: Ransomware gangs have historically relied on a network of malware-infected computers, known as a botnet, to carry out attacks.

  • International law enforcement has taken note, launching several operations in the last year to make some of the most prolific botnets unusable.

The intrigue: Hackers are adaptable and usually have a backup plan.

  • Last year, hackers relied heavily on the darknet market, which only nation-state hackers typically bothered with.
  • It's the engine behind widespread exploitation of critical flaws in tools like Citrix, MOVEit and Ivanti.
  • "The motivation for them to go and find more vulnerabilities in public-facing infrastructure used by organizations is huge, it's massive," Thakur said. "Successful ransomware attacks will lead to more zero-days being disclosed in software like Ivanti or Citrix or Microsoft Exchange."

Between the lines: If a computer is infected with malware as part of a botnet, it's likely that an organization's virus-scanning tools will detect that malicious code within 24 hours and remove it, Thakur said.

  • But zero-days get their name because of their stealth. Usually, by the time a company notices these bugs, a hacker is already in or affected customers have zero days to patch before being vulnerable to a cyberattack.

Yes, but: Hunting and exploiting software vulnerabilities is a lot more work than relying on an already established set of malware-infected computers, Thakur said.

  • Ransomware gangs can be opportunistic and turn to tactics that require the smallest amount of work to get the biggest impact, he added.
  • "They already have a foot through the door in an org; all they need to do is pick it up from that standpoint," Thakur said about botnets.

Be smart: Broadcom recommends that organizations start aligning their defenses against hacking groups' tools, tactics and procedures rather than the specific ransomware strain they're using.

  • To do this, IT teams can audit each of the administrative tools their network administrators, and the rest of their employees, are running to make sure they're still needed and secured properly, Thakur said.

The bottom line: Ransomware has become endemic for companies.

  • "The hackers will adapt to the tools that are available in your network," Thakur said. "It doesn't matter what solution you might be using in your network, they're all susceptible to ransomware attacks."
Go deeper