Wealthy cybercriminals are using zero-day hacks more than ever

“Ransomware groups have been able to recruit new talent and to use the resources from their ransomware operations and from the insane amounts of revenue they’re pulling in in order to focus on what was once the domain of state-sponsored [hacking] groups,” says James Sadowski, a researcher with Mandiant.

Zero-days are typically bought and sold in the shadows, but what we do know shows just how much money is at play. A recent MIT Technology Review report detailed how an American firm sold a powerful iPhone zero-day for $1.3 million. Zerodium, a zero-day vendor, has a standing offer to pay $2.5 million for any zero-day that gives the hacker control of an Android device. Zerodium then turns around and sells the exploit to another organization—perhaps an intelligence agency—at a significant markup. Governments are willing to pay that kind of money because zero-days can be an instant trump card in the global game of espionage, potentially worth more than the millions an agency might spend.

But they’re clearly worth a lot to criminals too. One particularly aggressive and adept ransomware group, known by the code name UNC2447, exploited a zero-day vulnerability in SonicWall, a virtual private network tool used in major corporations around the world. After the hackers gained access, they used ransomware and then pressured victims to pay by threatening to tell the media about the hacks or sell the firms’ data on the dark web.

Maybe the most famous ransomware group of recent history is Darkside, the hackers who caused the shutdown of the Colonial Pipeline and ultimately a fuel shortage for the eastern United States. Sadowski says they too exploited at least one zero-day during their short but intense period of activity. Soon after becoming world famous and attracting all the unwanted law enforcement attention that comes with fame, Darkside shuttered, but since then the group may simply have rebranded.

For a hacker, the next best thing after a zero-day might be a one- or two-day vulnerability—a security hole that has been recently discovered but has not yet been fixed by that hacker’s potential targets around the world. Cybercriminals are making rapid advances in that race, too.

Cybercrime groups “are picking up state-sponsored threat actors’ zero-days at a quicker pace,” says Adam Meyers, senior vice president of intelligence at the security firm Crowdstrike. The criminals observe the zero-days being used and then sprint to co-opt the tools for their own purposes before most cyber-defenders know what’s happening.

“They quickly figure out how to use it, and then they leverage it for continued operations,” says Meyers.