Zero-Day Exploit in DrayTek Routers Fuels Global Ransomware Attacks
Since August 2023, hackers have clandestinely exploited a zero-day vulnerability in DrayTek routers to compromise devices, steal passwords, and subsequently deploy ransomware across connected networks.
According to a joint report by Forescout and PRODAFT, the attacks were carried out by the group Monstrous Mantis, which is believed to be associated with the operators of the RagnarLocker ransomware. The perpetrators exploited the vulnerability to extract and decrypt credentials from DrayTek Vigor routers, subsequently sharing the pilfered data with select partners.
Two such partners were identified as long-standing participants in various Ransomware-as-a-Service (RaaS) operations. These cybercriminals utilized the stolen credentials to infiltrate corporate networks and deploy ransomware strains, including RagnarLocker, Qilin, Nokoyawa, and RansomHouse.
The first group, referred to as Ruthless Mantis (PTI-288), is linked to former members of the REvil gang. They reportedly leveraged credentials provided by Monstrous Mantis to orchestrate attacks on 337 organizations, primarily in the United Kingdom and the Netherlands.
The second group, known as Wazawaka (LARVA-15), is associated with Mikhail Matveev, who was apprehended in late November and charged in connection with ransomware-related activities. Experts noted that Matveev did not directly deploy the malicious software but served as an intermediary, transferring the stolen credentials to other criminal entities.
Forescout reported that the vulnerability could not be correlated to any known CVE, and it remains uncertain whether the flaw has been patched. Analysts revealed that the exploit targeted a firmware component of the routers (mainfunction.cgi), which has previously exhibited numerous vulnerabilities. Among the victims was the Greater Manchester Police Department.
Earlier, international law enforcement agencies conducted a coordinated operation to disable the RagnarLocker ransomware group’s leak site. This operation involved Europol, the FBI, Germany’s Federal Criminal Police Office, and several other organizations. The RagnarLocker group, through its ransomware campaigns, has been implicated in attacks against critical infrastructure, including a Portuguese airline and an Israeli hospital.
