Maybe the most famous ransomware group of recent history is Darkside, the hackers who caused the shutdown of the Colonial Pipeline and ultimately a fuel shortage for the eastern United States. Sadowski says they too exploited at least one zero-day during their short but intense period of activity. Soon after becoming world famous and attracting all the unwanted law enforcement attention that comes with fame, Darkside shuttered, but since then the group may simply have rebranded.
For a hacker, the next best thing after a zero-day might be a one- or two-day vulnerability—a security hole that has been recently discovered but has not yet been fixed by that hacker’s potential targets around the world. Cybercriminals are making rapid advances in that race, too.
Cybercrime groups “are picking up state-sponsored threat actors’ zero-days at a quicker pace,” says Adam Meyers, senior vice president of intelligence at the security firm Crowdstrike. The criminals observe the zero-days being used and then sprint to co-opt the tools for their own purposes before most cyber-defenders know what’s happening.
“They quickly figure out how to use it, and then they leverage it for continued operations,” says Meyers.