Ransomware gangs are now rich enough to buy zero-day flaws, say researchers

Zero-day cybersecurity vulnerabilities have traditionally been the preserve of nation states - but now criminal gangs have the funds to buy their own.

Inside a cyber mercenary operation: Hacking victims around the world

Cyber criminals are becoming more advanced as they continue to find new ways to deliver attacks, and some are now willing to buy zero-day vulnerabilities, something more traditionally associated with nation states. 

Knowledge about vulnerabilities and exploits can command a high price on underground forums because being able to take advantage of them can be very profitable for cyber criminals. That's especially true if this knowledge involves a zero-day vulnerability that's not known about by cybersecurity researchers – and that's because attackers know potential victims won't have had the chance to apply security updates to protect against it.

For example, in the weeks after Microsoft Exchange vulnerabilities were disclosed earlier this year, cyber criminals rushed to take advantage of them as quickly as possible in order to benefit from the ability to carry out attacks before the security patches were widely applied. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

Zero-day vulnerabilities are usually deployed by well-resourced, nation-state-backed hacking operations – but analysis by cybersecurity researchers at Digital Shadows details how there's increasing amounts of chatter on dark web message boards about the criminal market for zero days. 

"This market is an extremely expensive and competitive one, and it's usually been a prerogative of state-sponsored threat groups. However, certain high-profile cyber-criminal groups (read: ransomware gangs) have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits," said Digital Shadows.

"States can purchase zero-day exploits in a legal way from companies that are solely dedicated to creating these tools," Stefano De Blasi, threat researcher at Digital Shadows, told ZDNet. 

"However, when these tools are developed by cyber criminals outside of the law, it is likely easier to identify clientele from the cyber-criminal world; there is, however, only a handful of cyber-criminal actors who could afford the cost of a zero-day exploit". 

These kinds of vulnerabilities can cost millions of dollars, but that's a price that could be affordable for a successful ransomware group. which makes millions from every successful ransomware attack – and they could easily make back what they spend if the vulnerability works as intended by providing a reliable means of infiltrating networks. 

But there's another method of making money from vulnerabilities being explored, and it's one that could place them into the hands of less sophisticated cyber criminals – something known as 'exploit-as-a-service'. 

Instead of selling the vulnerability outright, the cyber criminal who discovered it can lease it out to others. This approach potentially makes money quicker than if they went through the complex process of a sale, and they could continue to make money from it for a long time. They also have the option of eventually selling the zero day if they tire of leasing it. 

"This model enables zero-day developers to generate substantial earnings by renting the zero day out while waiting for a definitive buyer. Additionally, with this model, renting parties could test the proposed zero day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis," said the report. 

SEE: Ransomware: It's a 'golden era' for cyber criminals - and it could get worse before it gets better

Selling to government-backed hacking groups is still the preferred option for some zero-day developers for now, but a growing interest in exploits like this on underground forums indicates how some cyber-criminal groups are approaching the level of state-backed operations. 

"The rise of the exploit-as-a-service business model confirms that the cyber-criminal environment is consistently growing both in terms of sophistication and professionalization. Some high-profile criminal groups can now compete in terms of technical skills with state-sponsored actors; many prominent ransomware groups in particular have now amassed enough financial resources to purchase zero days advertised in illicit environments," De Blasi explained. 

The nature of zero-day vulnerabilities means defending networks against them is a difficult task, but cybersecurity practices like applying critical security updates as soon as they're released can stop cyber criminals having a lengthy window to take advantage of vulnerabilities. Organisations should also have a plan for what to do if they discover they've been breached. 

"Well drilled and documented incident response strategies can be crucial in responding to any attacker that may have gained access to a target's environment," said De Blasi.

MORE ON CYBERSECURITY