Readers of this site (as well as our book, “Ransomware: Understand. Prevent. Recover”) will know that ransomware-as-a-service is becoming a popular way for cybercriminals to make money. Now that service model is being applied to zero-day exploits, leading to the rise of “exploit-as-a-service.”
The idea behind exploit-as-a-service (EaaS) is that when criminals discover a zero-day vulnerability—i.e., an undiscovered flaw with no current fixes or patches—instead of launching an attack themselves, they will instead “rent” the information to other bad actors. They will often sell the exploit to the highest bidder, but renting provides a revenue stream similar to other as-a-service software.
Zero-day exploits are well-known in the cybersecurity world, but are most often used by nation-state actors. They’re extremely expensive to buy—often in the millions of dollars—making them beyond the reach of your garden-variety criminal.
Ransomware has changed all that. It’s so lucrative that the criminal gangs can now afford to buy zero-day vulnerabilities and apply the same as-a-service paradigm to these flaws that they do to ransomware.
Flush with Cash
Threat intelligence company Digital Shadows has investigated this new market and revealed some startling information:
Zero-day exploits are incredibly pricey and we’ve observed threat actors claiming that they could go away for up to $10,000,000. These prices may look jaw-dropping but there’s a key aspect to keep in mind. Whatever legitimate bug bounty programs offer, cybercriminals must offer more in order to compete with them, given the risks (jail time) and additional requirements needed during illicit activity (i.e. money laundering).
Although $10 million seems like an extraordinarily high price to pay, many ransomware gangs can afford it. It can be difficult to know how much companies are paying in ransom to get their data unencrypted—it’s not the kind of thing a victim will want to publicize—but ransoms in the millions of dollars are commonplace.
ZDNet reported that one victim paid a $10 million ransom in 2020, and some ransomware demands reached $30 million that year, a number that is likely higher now. The infamous Colonial Pipeline attack from May 2021 came attached with a $4.4 million ransom demand.
In addition, ransomware groups are diversifying in other ways to increase profits. As reported here on Ransomware.org, the Conti group is selling private company information obtained during a ransomware attack to the highest bidder. That’s even more funding for EaaS.
This signals a new escalation in the ransomware wars. The cybercriminals are now leveraging profits from their attacks to buy zero-day exploits, which they can then “lease” and eventually sell to other criminals. Those profits can then be plowed back into development of new ransomware techniques and vulnerability hunting, which will lead to yet more attacks, more zero-day exploits being developed, and so on.
This vicious cycle emphasizes the need to protect your organization by taking immediate action. Zero-day exploits may be terrifying, but most compromises are still achieved via unpatched systems for which patches have existed for days, months, and even years.