Keypoints
- Ransomware exploitation falls into two categories: vulnerabilities exploited by only a few groups and those broadly exploited by many groups.
- Widely exploited flaws are typically in common enterprise software and can be leveraged via public exploit modules and penetration-testing tools.
- Groups with focused targeting (e.g., CL0P) show repeatable patterns across specific products such as Accellion, SolarWinds, and MOVEit.
- Defensive priorities differ: unique-target exploitation requires targeted audits and threat-informed controls; widespread vulnerabilities require rapid patching and PoC monitoring.
- The broader cybercriminal ecosystem (not necessarily ransomware operators) shares and discusses public vulnerabilities and potential targets, accelerating exploitation risk.
<liEmerging risks include generative AI lowering technical barriers for exploit development and potential expansion of targets to major vendors and crypto-related theft.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploited vulnerabilities in widely used enterprise software; ‘Widely exploited vulnerabilities are found in commonly used enterprise software and are easily exploited through various means like penetration testing modules.’
- [T1588] Obtain Capabilities – Adversaries leverage publicly available penetration-testing modules and other tools to weaponize exploits; ‘…easily exploited through various means like penetration testing modules.’
- [T1596] Search Open Websites/Domains – The criminal ecosystem and researchers share and discuss known vulnerabilities and targets on public forums and research sites; ‘the broader cybercriminal ecosystem identifies and discusses publicly known vulnerabilities and potential targets for exploitation.’
- [T1203] Exploitation for Client Execution – Some vulnerabilities require specific vectors for execution and are therefore exploited by fewer groups; ‘Vulnerabilities requiring unique vectors are typically exploited by only a few groups.’
Indicators of Compromise
- [Domain] Source and report hosts – recordedfuture.com, go.recordedfuture.com
- [URL] Report PDF – https://go.recordedfuture.com/hubfs/reports/cta-2024-0208.pdf
- [File name] Report file – cta-2024-0208.pdf
- [Affected software/targets] Repeatedly targeted products – Accellion, SolarWinds, MOVEit
Ransomware exploitation patterns separate into two operational modes: (1) widespread exploitation of common enterprise software using readily available exploit modules and penetration-testing tooling, and (2) focused exploitation of unique vulnerabilities affecting specific products that only a few groups pursue. In the first mode, attackers reuse public exploits and proofs-of-concept to rapidly compromise exposed services, making timely patching and monitoring for PoCs critical. In the second mode, groups like CL0P demonstrate repeatable targeting across specific vendors (Accellion, SolarWinds, MOVEit), so defenders should prioritize product-specific audits, configuration reviews, and telemetry coverage for those assets.
Defensive procedure should therefore combine rapid vulnerability remediation for popular components with threat-informed hunting for product-specific abuse patterns. Operational steps include: maintain an accurate inventory of internet-facing and enterprise software, prioritize patching based on exploitability and business impact, monitor security research and criminal forums for emerging PoCs or references to tech-stack components, and deploy detection rules that look for exploitation behaviors rather than only CVE identifiers. For vulnerabilities requiring unique vectors, perform focused code and configuration reviews and emulate likely exploit chains in controlled testing to validate mitigations.
Looking ahead, technical risk may increase as generative AI and other tooling lower the effort needed to develop exploits and weaponize zero-days, potentially expanding the set of attractive targets (including large vendor products) and shifting some extortion activity toward crypto-asset theft. Security teams should invest in proactive threat intelligence, prioritize mitigations for commonly abused components, and incorporate rapid PoC-based validation into patch management and incident response playbooks.
Read more: https://www.recordedfuture.com/patterns-targets-ransomware-exploitation-vulnerabilities-2017-2023