DrayTek Router Zero-Day Exploited for Months in Massive Ransomware Campaign

A sophisticated threat actor secretly exploited a suspected zero-day vulnerability in DrayTek Vigor routers for over a year, extracting credentials and distributing them to ransomware affiliates who breached at least 337 organizations worldwide. The campaign, disclosed on December 16, 2024, reveals how network infrastructure devices remain a critical blind spot in enterprise security, even as Bitcoin trades above $106,000 and the crypto ecosystem attracts unprecedented institutional capital.

The Exploit Mechanics

According to a joint investigation by Forescout and PRODAFT, the threat actor tracked as Monstrous Mantis — believed to be linked to the Ragnar Locker ransomware group — exploited a vulnerability in the mainfunction.cgi component of DrayTek Vigor router firmware. This component has a documented history of security flaws, making it a recurring target for sophisticated attackers.

The zero-day allowed attackers to extract administrator credentials from compromised routers. Once cracked, these credentials were systematically distributed to ransomware affiliates who used them as initial access vectors into corporate networks. The vulnerability has not been linked to a known CVE, and it remains unclear whether DrayTek has issued a patch addressing the specific flaw exploited in this campaign.

The attack chain followed a methodical pattern: compromise the router, extract credentials, crack passwords offline, then hand off access to ransomware operators. This division of labor between access brokers and ransomware deployers has become a hallmark of the modern ransomware ecosystem, mirroring the specialization seen in DeFi exploit architectures.

Affected Systems

The scope of the campaign extends far beyond typical opportunistic attacks. Two primary affiliate groups received the stolen credentials:

The first partner, identified as Ruthless Mantis (PTI-288), is a former affiliate of the notorious REvil gang. This group used the router credentials to breach at least 337 organizations — a staggering number that underscores the scale of the operation.

The second partner was identified as LARVA-15, also known as Wazawaka — a Russian national named Mikhail Matveev, who was arrested in Russia in late November 2024 for ransomware-related activities. Investigators determined that Matveev acted as an intermediary, distributing credentials to other threat actors rather than deploying ransomware himself.

Ransomware families deployed through this campaign include RagnarLocker, Qilin, Nokoyawa, and RansomHouse — a diverse portfolio that indicates the access broker model has become commoditized across multiple ransomware-as-a-service programs.

One confirmed victim of this campaign was the Greater Manchester Police Department, which suffered a ransomware attack in September 2023, demonstrating that even government institutions with sensitive data were not spared.

The Mitigation Strategy

Organizations deploying DrayTek Vigor routers should take immediate action to reduce their exposure to this and similar threats:

First, apply all available firmware updates immediately. Even though the specific zero-day may not have a corresponding CVE, DrayTek has patched numerous vulnerabilities in the mainfunction.cgi component over the years, and running the latest firmware closes known attack vectors.

Second, change all router administrator credentials and enforce strong, unique passwords. The attack chain depended on credential extraction and offline cracking — using complex passwords significantly increases the time and computational cost of this step.

Third, disable remote management interfaces where possible, or restrict access to trusted IP ranges. Many of the compromised routers had their management interfaces exposed to the internet, providing attackers with direct access to exploit.

Fourth, implement network monitoring to detect unusual traffic patterns originating from router infrastructure. Lateral movement from compromised routers into internal networks often generates detectable anomalies.

Lessons Learned

This campaign highlights a fundamental truth about modern cybersecurity: network infrastructure devices are treated as appliances rather than the critical security assets they actually are. Routers, switches, and VPN gateways sit at the perimeter of every corporate network, yet they receive a fraction of the security attention devoted to servers and endpoints.

With the cryptocurrency market capitalization exceeding $2 trillion and Bitcoin trading at $106,029, the financial incentives for cybercrime have never been higher. The specialization demonstrated in this campaign — separate actors handling exploitation, credential distribution, and ransomware deployment — mirrors the efficiency gains seen in legitimate technology markets.

The fact that this campaign operated undetected for over a year should serve as a wake-up call. Organizations must inventory their network infrastructure, establish baseline configurations, and implement continuous monitoring. The gap between compromise and detection remains the most dangerous vulnerability in enterprise security.

User Action Required

If your organization uses DrayTek Vigor routers, take these steps today: update firmware, change all credentials, review access logs for suspicious activity, and consider implementing a network segmentation strategy that limits the damage potential of any single compromised device. In the current threat landscape, with Ethereum at $3,987 and crypto assets increasingly integrated into corporate treasuries, infrastructure security directly impacts financial security.

Disclaimer: This article is for informational purposes only and does not constitute financial or cybersecurity advice. Always consult with qualified security professionals for specific guidance tailored to your organization.