Connect with us

Hi, what are you looking for?



Rapid7 Says ROI for Ransomware Remains High; Zero-Day Usage Expands

A new report from Rapid7 says a ransomware gang like Cl0p would easily be able to afford a bevy of zero-day exploits for vulnerable enterprise software.

Ransomware Decryption

The Rapid7 mid-year review of the threat landscape is not reassuring. Ransomware remains high, basic security defenses are not being used, security maturity is low, and the return on investment for criminality is potentially enormous.

The review is compiled from the observations of Rapid7’s researchers and its managed services teams. It finds there were more than 1500 ransomware victims worldwide in H1 2023. These included 526 LockBit victims, 212 Alphv/BlackCat victims, 178 ClOp victims, and 133 BianLian victims. The figures are compiled from leak site communications, public disclosures, and Rapid7 incident response data.

These figures should be seen as conservative. They won’t include organizations that quietly and successfully pay the ransom as if nothing happened. Furthermore, downstream victims are still being calculated  – for example, notes the report, “The number of incidents attributed to Cl0p in this chart is likely to be (significantly) low, since the group is still actively claiming new victims from their May 2023 zero-day attack on MOVEit Transfer.”

Ransomware is successful for two reasons: the very high profit potential for the criminals, and the inadequate security posture of many potential targets. Three factors illustrate the latter. Firstly, nearly 40% of incidents were caused by missing or lax enforcement of MFA (multi factor authentication) – despite many years of exhortations to implement this basic defense.

Secondly, the general security posture remains low for many organizations. Rapid7 consultants have performed multiple security assessments for clients, “with only a single organization so far in 2023 meeting our minimum recommendations for security maturity, as measured against CIS and NIST benchmarks.”

While security for these companies may well improve after the assessment, the figures illustrate that a substantial number of organizations fail to meet minimum standards for security.

Thirdly, and reinforcing the second factor, old vulnerabilities remain successful for the attackers. “Two notable examples from 1H 2023 are CVE-2021-20038, a Rapid7-discovered vulnerability in SonicWall SMA 100 series devices, and CVE-2017-1000367, a vulnerability in the sudo command that allows for information disclosure and command execution,” says the report.

Advertisement. Scroll to continue reading.

This doesn’t mean that new vulnerabilities haven’t been discovered and exploited in H1 2023. “Overall, more than a third of widespread threat vulnerabilities were used in zero-day attacks, which remain prevalent among exploited 2023 CVEs,” continues the report, adding, “Our team has also observed multiple instances of Adobe ColdFusion CVE-2023-26360 exploitation, which may indicate that the vulnerability is being exploited more broadly than the ‘very limited attacks’ Adobe disclosed in their advisory.”

However, organized crime (such as that behind the ransomware gangs) does not attack business simply because it can – it is driven by the profit motive. The Rapid7 report demonstrates just how profitable cybercrime can be.

Exploit brokers remain in demand on the dark web, selling numerous network device zero-day exploits for upward of $75,000. Rapid7 points out that even priced at ten times this amount, a single successful use in a ransomware attack would provide a sizable return on investment.

“In all likelihood, a threat actor like Cl0p would easily be able to afford a bevy of zero-day exploits for vulnerable enterprise software – enabling the group to hoard and hone proprietary capabilities while they conduct reconnaissance on high-revenue targets,” says Rapid7. “It’s not a theoretical use case, either; there are indications that Cl0p tested their zero-day exploit for MOVEit Transfer (CVE-2023-34362) for nearly two years before deploying it in a highly orchestrated attack over Memorial Day weekend this year.”

It is difficult to find much that is reassuring in this report. With huge financial incentive for cybercrime and continuing failure by organizations to implement even basic security defenses (such as MFA and patching) – and with increasing cloud complexity, shortage of skilled security labor, and economic uncertainty plaguing major cybersecurity investments, all complicating the picture – the overall cybersecurity landscape is likely to worsen before it improves.

SecurityWeek asked Caitlin Condon, head of vulnerability research at Rapid7, for her own takeaways from the report. “The fact that so many of the initial access vectors that our managed services team saw were the result of basic security hygiene not being present,” she replied.

“That’s not a number that we want to see. We don’t want to see so many preventable attacks when we know that there are so many complex attacks that organizations are also struggling with,” she continued. “But the good news is that, in theory, implementing something like MFA is a known quantity and a defined action that an organization is able to take if it wants to.”

Preventable attacks are succeeding, so the basics are still important. “Organizations are not powerless,” she added.

Related: Rapid7 Announces Layoffs, Office Closings Under Restructuring Plan

Related: Rapid7 Buys Anti-Ransomware Firm Minerva Labs for $38 Million

Related: Rapid7: Japan Threat Landscape Takes on Global Significance

Related: Rapid7 Flags Multiple Flaws in Sigma Spectrum Infusion Pumps

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...