Automated reconnaissance coupled with mass exploitation of vulnerabilities have helped ransomware-as-a-service (RaaS) groups to thrive in the past few quarters, ReliaQuest has warned.
The threat intelligence firm said such tactics have empowered groups such as Qilin and Akira in Q2 2025. The former exploited Fortinet vulnerabilities CVE-2024-55591 and CVE-2024-21762, while the latter focused on SonicWall bug CVE-2024-40766 and Cisco flaw CVE-2023-20269.
ReliaQuest also pointed to the use of mass vulnerability exploitation by Clop, which targeted zero-days in managed file transfer products from Cleo (CVE-2024-50623) and MoveIT (CVE-2023-34362).
Newcomer RansomHub, which boasts Scattered Spider actors among its affiliates, has also benefitted from the combination of automation and vulnerability exploitation. Notably, it has chained exploits for CVE-2024-57726, CVE-2024-57727 and CVE-2024-57728 in the remote management software SimpleHelp, and targeted CVE-2023-27997 in Fortinet and CVE-2023-46604 in Apache OpenWire.
Read more on vulnerability exploitation: Fortinet Confirms Critical Zero-Day Vulnerability in Firewalls
Often, the targets for these attacks are unknown, unmanaged or poorly understood assets, ReliaQuest claimed.
“These hidden assets are often difficult – or even impossible – to patch quickly, leaving them exposed to critical vulnerabilities long enough for proof-of-concept (POC) exploits to be released. For instance, over a month after CVE-2024-21762 – the vulnerability that propelled Qilin to top ransomware spot this quarter – was patched, security researchers found more than 150,000 Fortinet FortiOS and FortiProxy devices still vulnerable,” it explained.
“Unpatched CVEs also give RaaS groups the opportunity to develop automated tools for exploitation, enabling faster attacks and significantly reducing the time defenders have to respond.”
Such tactics have enabled groups like Qilin and DragonForce to prosper in Q2 2025. They recorded a quarter-on-quarter increase in victims of 80% and 115% respectively, while more established names like Clop declined.
AI Could Supercharge Ransomware
The concern for network defenders will be how threat actors adopt AI to further supercharge their vulnerability research and exploitation efforts.
The National Cyber Security Centre (NCSC) warned that AI will make certain elements of cyber intrusion “more effective and efficient,” driving an “increase in frequency and intensity of cyber threats.”
Critical infrastructure supply chains and operational technology assets are particularly exposed in this regard, it claimed.
“System owners already face a race in identifying and mitigating disclosed vulnerabilities before threat actors can exploit them,” the NCSC said.
“The time between disclosure and exploitation has shrunk to days and AI will almost certainly reduce this further.”
However, vulnerability exploitation isn’t the only initial access method favored by ransomware actors.
KnowBe4 said it observed a 58% increase in ransomware payloads delivered through phishing attacks between November 1 2024 and February 15 2025, versus the preceding three months.
No tags.
