Research (Insikt)

H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers

Posted: 17th August 2023
By: Insikt Group


In the first half of 2023, ransomware attacks surged, with attackers increasingly relying on exploiting vulnerabilities for rapid compromise. Prominent campaigns targeted organizations using vulnerability exploits, such as the VMware ESXi hypervisor breach. This trend was fueled by ransomware groups targeting Linux servers, which allow for faster attacks but present a less user-rich environment than Windows or MacOS, making vulnerability exploitation a priority for initial access.

Prominent malware variants in H1 2023 included LockBit, ALPHV, Royal, ESXiArgs, and Pegasus. Additionally, attackers exploited vulnerable drivers to bypass endpoint detection and response solutions, emphasizing the need to inventory and patch organization-used drivers.

An event of significant financial impact was the exploitation of a zero-day vulnerability affecting Barracuda’s email security gateway (ESG), leading to the replacement of ESG appliances and substantial financial losses. Redundancy in IT and security architecture is crucial. The rest of 2023 will likely witness continued ransomware attacks through exploited vulnerabilities and targeting vulnerable drivers. Defenders should optimize resources and budgets for redundancy to distribute risk.

Ransomware actors will exploit third-party software vulnerabilities, as demonstrated by the CL0P group's breaches. Defenders should review security policies for third-party software, especially products targeted in H1 2023. Steps include inventorying MFT systems, maintaining robust patch management, and coordinating with vendors for effective vulnerability responses.

Vulnerable drivers are a growing attack vector requiring vigilant tracking, identification of malicious drivers, and regular audits to minimize exploitation. Organizations relying on single security solutions should prioritize redundancy for cyber risk distribution.

Overall, the landscape emphasizes the need for proactive measures to counter ransomware and vulnerability exploits, involving thorough inventorying, patch management, redundancy, and collaborative response strategies.

To read the entire analysis with endnotes, click here to download the report as a PDF.