{
	"id": "4c60608b-70b8-4391-af36-5ea1d7d4b2bb",
	"created_at": "2026-04-06T00:13:55.497983Z",
	"updated_at": "2026-04-10T03:20:46.430664Z",
	"deleted_at": null,
	"sha1_hash": "034f516c99b01297e1653bd6c4d1360691551e05",
	"title": "Ransomware Attack Vectors shift as New Software Vulnerability Exploits Abound",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 422879,
	"plain_text": "Ransomware Attack Vectors shift as New Software Vulnerability\r\nExploits Abound\r\nBy Bill Siegel\r\nPublished: 2021-04-26 · Archived: 2026-04-05 13:30:11 UTC\r\nThe Coveware Quarterly Ransomware Report describes ransomware incident response trends during Q1 of 2021.\r\nData exfiltration extortion continues to be prevalent and we have reached an inflection point where the vast\r\nmajority of ransomware attacks now include the theft of corporate data. Q1 saw a reversal of average and median\r\nransom amounts. The averages in Q1 were pulled up by a raft of data exfiltration attacks by one specific threat\r\nactor group that opportunistically leveraged a unique vulnerability (more on this below).\r\nAverage and Median Ransom Payments in Q1 2021\r\nAverage Ransom Payment\r\n$220,298\r\n+43% from Q4 2020\r\nMedian Ransom Payment\r\n$78,398\r\n+59% from Q4 2020\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 1 of 10\n\nAverage and Median Ransom Payments\r\nThe average ransom payment increased 43% to $220,298 from $154,108 in Q4 of 2020.  The median payment in\r\nQ1 also increased to $78,398 from $49,450, a 58% increase.  Averages and median were pulled higher by a small\r\nnumber of threat actor groups, most specifically CloP, that were extremely active during Q1 and impacted large\r\nvictims with very high ransom demands.  As the data exfiltration tactic has proliferated, the risk / reward\r\ncharacteristics of paying to suppress a leak has not changed. We first noted this trend in our Q3 report; victims of\r\ndata exfiltration extortion have very little to gain by paying a cyber criminal, and despite the increase in demands,\r\nand higher prevalence of data theft, we are encouraged that a growing number of victims are not paying. Over\r\nhundreds of cases, we have yet to encounter an example where paying a cyber criminal to suppress stolen data\r\nhelped the victim mitigate liability or avoid business / brand damage. On the contrary, paying creates a false sense\r\nof security, unintended consequences and future liabilities. Coveware’s position remains unchanged and we advise\r\nvictims of data exfiltration extortion to assume the following:\r\nThe data will not be credibly destroyed. Victims should assume it will be traded to other threat actors, sold,\r\nmisplaced, or held for a second/future extortion attempt.\r\nExfiltrated data custody was held by multiple parties and not secured. Even if the threat actor deletes a\r\nvolume of data following a payment, other parties that had access to it may have made copies so that they\r\ncan extort the victim in the future.\r\nThe data may be deliberately or mistakenly published before a victim can even respond to an extortion\r\nattempt.\r\nComplete records of what was taken may not be delivered by the threat actor, even if they explicitly\r\npromise to provide such artifacts after payment.\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 2 of 10\n\n77% of Ransomware Attacks Involved the Threat to Leak Exfiltrated Data (+10%\r\nFrom Q4 2020)\r\nThe percentage of ransomware attacks that included a threat to release stolen data increased from 70% in Q4, to\r\n77% in Q1. The majority of ransomware attacks that involve data exfiltration have two main goals 1) exfiltrate\r\ncorporate data from the most convenient file server 2) escalate privileges and deploy ransomware on as many\r\nendpoints as possible. Most RaaS affiliates purchase network access and use stolen data solely as additional\r\nleverage against the victim. This means that despite the threats, threat actors rarely take the time to steal data that\r\nany other criminals or interested parties would want to purchase. The stolen data is just proof that the attack\r\noccurred and sometimes creates legal obligations for the victim.\r\nThe CloP ransomware group took a very different strategy in their Q1 exploitation of Accellion’s FTA product.\r\nBeginning in late December and continuing through much of Q1, CloP exploited two zero day vulnerabilities that\r\nallowed for remote code execution within unpatched Accellion FTA instances. This was a highly sophisticated and\r\ntargeted exploitation of a single software appliance, only used by a handful of enterprises.  The CloP group may\r\nhave purchased the exploit used in the initial stages of the attack, so as to have exclusive use. This behavior stands\r\nin stark contrast to how most unauthorized network access is brokered through the cyber extortion supply chain to\r\nany willing purchaser post exploitation. Moreover, the Accellion exploit did not allow for the deployment of\r\nransomware across the victims environment, so data theft from the appliance was the sole target of CloPs\r\ncampaign from the outset. \r\nUnlike most exploits used by ransomware threat actors, unpatched Accellion FTA instances are rare (likely less\r\nthan 100 total), especially when compared to vulnerable RDP instances which number hundreds of thousands\r\nglobally. CloP’s confidence that such a small number of targets would yield a positive financial return must have\r\nbeen high and, unfortunately, they were correct. Dozens of CloP victims were extorted for tens of millions of\r\ndollars even though the majority of the victims opted not to pay and were subsequently doxxed on the CloP leak\r\nsite. As of early April, the CloP/Accellion campaign seems to have run its course, and the CloP group has returned\r\nto using traditional network access vectors and encryption ransomware in its attacks.  \r\nMost Common Ransomware Variants in Q1 2021\r\nRank Ransomware Type Market Share % Change in Ranking from Q4 2020\r\n1 Sodinokibi 14.2% -\r\n2 Conti V2 10.2% +4\r\n3 Lockbit 7.5% +6\r\n4 Clop 7.1% New in Top Variants\r\n5 Egregor 5.3% -3\r\n6 Avaddon 4.4% +3\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 3 of 10\n\nRank Ransomware Type Market Share % Change in Ranking from Q4 2020\r\n7 Ryuk 4.0% -4\r\n8 Darkside 3.5% New in Top Variants\r\n9 Suncrypt 3.1% -1\r\n9 Netwalker 3.1% -5\r\n10 Phobos 2.7% -1\r\nTop 10: Market Share of the Ransomware attacks\r\nRansomware-as-a-Service operations ratcheted up the competition for affiliates and credibility in Q1. As these\r\ngroups have grown in size, so has associated operational complexity and risk. Some failures of operating a\r\ncriminal enterprise at scale were observed during Q1 include:\r\nEgregor: Sunsetting operations only 4 months after taking the torch from the Maze group.\r\nNetwalker: Ceased activities following a complete law enforcement take down of infrastructure and arrest\r\nof affiliate participants. \r\nConti: Growing pains as their outsourced chat operations complicated victim recoveries and negotiations.\r\nAdditionally, Conti has also been re-attacking prior victims and launching new attacks shortly after an\r\ninitial attack was sustained. A practice at odds with a RaaS organization interested in maintaining a\r\nreputation that compels victims to pay a ransom.\r\nLockbit: Technical flaws in the ransomware that resulted in data loss of encryption victims. The group has\r\nalso been associated with numerous re-extortion demands. \r\nSodinokibi: Technical flaws that resulted in victims unable to match encryption keys, resulting in total data\r\nloss.\r\nBlackKingdom: Attempted a mass exploit of exchange webshells, but flaws in their encryption led to\r\npermanent data loss.\r\nA new trend in Q1, several RaaS operations turned their focus to developing encryption modules for Unix and\r\nLinux. We have now observed this development from Defray777, Mespinoza, Babuk, Nephilim and Darkside.\r\nSodinokibi is also making rumblings about releasing a Unix version. Victims running Unix and Linux should\r\nexpect complications and data loss. Early versions of any ransomware generally include bugs that the threat actors\r\neither don’t know about or don’t care to fix before targeting victims. \r\nMost Common Ransomware Attack Vectors in Q1 2021\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 4 of 10\n\nRansomware attack vectors: RDP compromise, email phishing, software vulnerability, and others.\r\nIn Q1 compromised remote desktop protocol connections regained the top position as the most common attack\r\nvector. RDP remains a frustratingly common vulnerability despite well known secure remote connection best\r\npractices.  Phishing emails that install credential stealing malware, or a remote access trojan also remain a\r\ncommon attack vector. Like RDP, defense techniques that include least privilege and two factor authentication can\r\neasily limit the ability of an attacker to escalate privileges beyond the initially compromised machine.  Defending\r\nagainst the escalatory impact of a successful phishing attack requires no new hardware or software, just the will to\r\nimplement and follow simple tools and configurations properly. \r\nAttack Vectors used by the Top Three Ransomware Variants\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 5 of 10\n\nTop 3 Ransomware Types: Sodinokibi, Conti V2, and Lockbit.\r\nThe most common software vulnerabilities exploited during Q1 involved VPN appliances, such at Fortinet and\r\nPulse Secure.  Several RaaS services leveraged these VPN vulnerabilities during Q1. Again, it is likely that the\r\nactual RaaS operators and affiliates were NOT the party that achieved network access via these vulnerabilities, but\r\nrather specialist actors that harvest network credentials and are specifically trained to mass scan for vulnerable IP\r\naddresses. These specialists then resell network access to ransomware affiliates who use the access to stage the\r\nextortion phase of the attack. This deliberate division of labor sheds light on how open RaaS operations that focus\r\non smaller victims, like Lockbit, were able to take advantage of vulnerabilities outside of their skillset.\r\nSpecialization and supply chain coordination also highlights the continued evolution of the cyber extortion\r\neconomy.  \r\nAttack Vectors used by Ransomware Actors on Different Sized Victims\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 6 of 10\n\nAttack Vector by Company Size Q1 2021\r\nDuring Q1, the cyber extortion economic supply chain demonstrated how a vulnerability in widely used VPN\r\nappliances can be identified, exploited and monetized by ransomware affiliates. It is rare to see software\r\nvulnerabilities directly leveraged by affiliates of RaaS groups, but when specialists broadly market the results of\r\ntheir elicit skills then the costs of carrying out an attack decline and lower the barriers to entry for new cyber\r\ncriminals.\r\nThe continued evolution and specialization of the ransomware supply chain is a worrisome trend. Lower overall\r\noperating costs drop the barrier to entry AND boost the profitability of attacks. Until the unit economics of\r\nransomware attacks becomes less profitable, we should expect the volume of attacks to continue to increase. Even\r\nmore worrisome is the maturity and progression of the supply chain within the cyber extortion economy. The\r\ninfrastructure that is being created to run this economy will be difficult to unwind. The more mature the supply\r\nchain is allowed to become, the harder it will be to dismantle.\r\nMost Industries Impacted by Ransomware in Q1 2021\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 7 of 10\n\nCommon Industries Targeted by Ransomware in Q1 2021\r\nThe most notable change in industries impacted by ransomware attacks in Q1 was the Professional Services\r\nindustry, specifically law firms. Small and medium sized law firms continue to succumb to encryption\r\nransomware and data exfiltration extortion attacks.  Unfortunately, the economics of many small professional\r\nservice firms do not encourage or enable adequate cyber security. \r\nFor example, many law firms are structured as limited partnerships for tax purposes. This means the firm pays out\r\nall its profit to the partners every year. The desire to maximize profits and income to the partners can marginalize\r\nthe priority of investing in cybersecurity. Another example is the third party vendor relationships of a small law\r\nfirm. These firms generally do not work with major enterprises that would perform rigorous cyber risk\r\nassessments, the most basic of which would immediately surface common vulnerabilities and weaknesses that\r\nmay result in a future ransomware attack. Rather, small firms tend to have equally sized clients that do not demand\r\nvendor assessments of cyber risk. \r\nAs a result of these two examples there is minimal internal or external market pressure to prioritize cyber security.\r\nThe volume of professional service firms that are victimized is a result of these micro dynamics.\r\nMedian Size of Ransomware Attack Victims in Q1 2021\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 8 of 10\n\nMedian Size of Companies Targeted by Ransomware\r\nRansomware attacks still disproportionately affect small businesses. These small companies rarely end up in the\r\nheadlines and often don’t have the financial or technical expertise to properly handle the incident OR perform the\r\nproper remediation required to prevent a repeat attack. Small businesses that exist below the cyber security\r\npoverty line represent the greatest challenge to stemming the expansion of the cyber extortion economy. \r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 9 of 10\n\nDistribution by company size (employee count)\r\nIncident Duration and Business Interruption of a  Ransomware Attack\r\nAverage Days of Downtime\r\n23\r\n+10% from Q4 2020\r\nIncident duration expanded slightly in Q1 to an average of 23 days. Contributing factors to this increase were the\r\naverage length of time it takes to adjudicate data exfiltration incidents, and technical challenges from corrupted\r\ndata (see above discussion on flaws in certain ransomware causing data loss). Q1 also included multiple instances\r\nof deliberate disruption by the threat actor during the recovery period following the initial attack. Disruptions\r\nincluded attempts to steal additional data or re-launch the ransomware. Prior to Q1 such behavior was a rare\r\noccurrence, but the tactic appears to be gaining traction amongst certain threat groups. This behavior not only\r\nexacerbates business interruption, but delays negotiation progress. This behavior also undermines the victim’s\r\nconfidence that the threat actor will assist in a successful resolution. The threat actor’s expectation that re-attacking increases the pressure to pay is misguided. Re-attacks make victims less inclined to facilitate any sort of\r\npayment.\r\nDisclaimer\r\nCoveware is not responsible for any actions taken, errors or omissions (negligent or otherwise), regardless of the\r\ncause, or for the results obtained from the use of this content, or for the performance of any computer, hardware\r\nor software used or modified in conjunction with this content. The content is provided on an \"as is\" basis. \r\nVIEWERS OF THIS REPORT AND ITS CONTENT DISCLAIM ANY AND ALL EXPRESS OR IMPLIED\r\nWARRANTIES, INCLUDING, BUT NOT LIMITED TO, ANY WARRANTIES OF MERCHANTABILITY OR\r\nFITNESS FOR A PARTICULAR PURPOSE OR USE, FREEDOM FROM BUGS, SOFTWARE ERRORS OR\r\nDEFECTS, THAT THE CONTENT'S FUNCTIONING WILL BE UNINTERRUPTED OR THAT THE CONTENT\r\nWILL OPERATE WITH ANY SOFTWARE OR HARDWARE CONFIGURATION. \r\nIn no event shall Coveware be liable to any party for any direct, indirect, incidental, exemplary, compensatory,\r\npunitive, special or consequential damages, costs, expenses, legal fees, or losses (including, without limitation,\r\nlost income or lost profits and opportunity costs or losses caused by negligence) in connection with any use of the\r\ncontent even if advised of the possibility of such damages.\r\nSource: https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nhttps://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound"
	],
	"report_names": [
		"ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound"
	],
	"threat_actors": [],
	"ts_created_at": 1775434435,
	"ts_updated_at": 1775791246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/034f516c99b01297e1653bd6c4d1360691551e05.pdf",
		"text": "https://archive.orkl.eu/034f516c99b01297e1653bd6c4d1360691551e05.txt",
		"img": "https://archive.orkl.eu/034f516c99b01297e1653bd6c4d1360691551e05.jpg"
	}
}