top of page

Exploitation of vulnerabilities on the rise

Corvus Insurance, a specialist in Cyber Risk insurance, has observed a shift in tactics employed by threat actors aiming to compromise their victims with ransomware.

The analysis of claims data for 2023 indicated a notable increase in attacks that exploited vulnerabilities, marking a departure from the previous trend of relying on phishing emails. This shift in approach reflects evolving tactics among threat actors, as revealed through the insurer's examination of current threat landscape dynamics.

In terms of the frequency of claims, traditionally the firm state that the emphasis has previously been placed on social engineering, but that organisations shouldn’t overlook the significance of ransomware and other extortion attacks. These forms of cyber threats incur substantially higher costs, averaging 20 times more than the typical social engineering claim, and inflict greater impact on organisations.

According to data from Corvus, in 2022, spearphishing – the act of targeting specific individuals with tailored messages, often through email attachments containing malware - was the predominant method for ransomware used by threat actors to gain initial entry.

However, a notable shift occurred last year. If the observed trend persists, exploits targeting external vulnerabilities will likely emerge as the primary method of initial entry for ransomware attacks this year. In practical terms, this signifies attackers gaining access through vulnerabilities, including zero-day vulnerabilities - security flaws unknown to the software's vendors until exploited.

Zero-day vulnerabilities, marked by their urgency, constituted a significant portion of extortion attacks last year, comprising nearly a third of cases where data on the method of initial entry is available. This is a notable increase from the near-zero occurrences in the second half of 2022.

Noteworthy examples of exploited vulnerabilities in 2023 include the one discovered in MOVEit file transfer software in June and another found by Fortra in its GoAnywhere file transfer solution.

Key Indicators of Initial Access Methods:

  • Ransomware attacks, while much rarer than Social Engineering, cost 15x more on average

  • Spearphishing efforts were for a long period the most common method threat actors gained access to systems to deploy ransomware

  • Recently, exploits of external software vulnerabilities have spiked, now being the method of initial entry for 1 in 3 ransomware attacks (among those for which we were able to determine the method)

Given the success threat actors have experienced with zero-day vulnerabilities, particularly in file transfer software, ongoing vigilance should be maintained to anticipate and mitigate their continued techniques and tactics in finding and exploiting vulnerabilities in the future.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page