Ransomware gangs are now earning enough cash to start buying Zero-day cybersecurity vulnerabilities. This we know is something more traditionally associated with national states operators. But as some cyber criminals get more advanced want new ways to deliver attacks. And are therefore willing to buy these zero-day vulnerabilities.

On the underground forums knowledge about vulnerabilities can command a high price especially when we’re talking about zero-day vulnerability. In other words, the price is high because cybersecurity researchers won’t know anything about the type of vulnerability. Therefore, when they attack a victim the chances of their plan being thwarted are minimised. Why? Because there has been no chance of applying security updates to protect against it.

For example, cyber criminals rushed to take advantage of Microsoft Exchange vulnerabilities before security patches were applied. So, they could attack undetected and benefit financially.

However, usually Zero-day vulnerabilities are deployed by well-resourced, nation-state-backed hacking operations.

But now there are details appearing on the dark web message boards regarding the zero day market according to analysis by cybersecurity researchers at Digital Shadows.

Digital Shadows, say the “market is an extremely expensive and competitive one” and now “high-profile cyber-criminal groups with good incomes can compete with the traditional buyers of zero-day exploits.”

Stefano De Blasi, threat researcher at Digital Shadows “States can purchase zero-day exploits in a legal way from companies that are solely dedicated to creating these tools.”

But the vulnerabilities that successful ransomware group are now purchasing can cost millions of dollars. And why wouldn’t they buy them since they makes millions from every successful ransomware attack. If these vulnerabilities work, they stand to get back what they paid and then some. Afterall it is a way to infiltrate a number of victims’ networks and potentially get a massive payday.

On the other hand, cyber gangs that purchase vulnerabilities can also make money from less sophisticated cyber criminals by offering ‘exploit-as-a-service’. In other words, lease out to another rather than selling the vulnerability outright. It means that they can make money quicker and perhaps for longer. And then once they’re bored or tired of leasing, they can always sell it.

Another benefit is that while waiting for a definitive buyer zero-day developers can generate substantial earnings by renting the zero day. In addition, according to the report renting parties could test the proposed zero day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis

The preferred option for some zero-day developers is selling to government-backed hacking groups.

But seeing the underground forums means there is a growing interest and cyber-criminal groups are reaching the level of state-backed operations. 

De Blasi explains, “that the cyber-criminal environment is consistently growing both in terms of sophistication and professionalization. And the rise of the exploit-as-a-service business model confirms it. Many prominent ransomware groups can now compete in terms of technical skills with state-sponsored actors and can purchase zero days advertised in illicit environments because they have accumulated the financial resources.

Meanwhile it is a difficult task to defend networks against the nature of zero-day vulnerabilities. But there are practices that can stop cyber criminals having a lengthy window to take advantage of vulnerabilities such as applying critical security updates as soon as they’re released. In addition, businesses need to prepare and plan for what they’d do if they’ve been breached.

De Blasi informs us that, “incident response strategies are crucial in responding to any attacker that may have gained access to a target’s environment”. Everything needs to be “well documented” and regularly tested for the just encase scenario

Want insights like this in your mailbox? Join our monthly mailing list

How can we make your business better with IT?