More Ransomware Gangs Targeting Vulnerable Exchange Servers

The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.

The zero-day bugs, four in total, had been targeted in live attacks well before patches were released for them on March 2, with exponentially more adversaries picking them up over the past three weeks, despite the availability of additional mitigations.

The number of unpatched Exchange installations has dropped significantly, going from roughly 80,000 on March 14 to fewer than 30,000 on March 22.

“As of today, we have seen a significant decrease in the number of still-vulnerable servers – more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities,” Microsoft noted in a March 25 blog post.

The number of attacks targeting the still-vulnerable servers, however, hasn’t diminished. In fact, the tech company reveals that additional ransomware families and botnets are now attempting to compromise the vulnerable servers.

DoejoCrypt, also known as DearCry, was the first ransomware family to target the Exchange vulnerabilities, more than two weeks ago. The Black Kingdom/Pydomer ransomware has since joined the fray, Microsoft says.

Known to be targeting publicly disclosed vulnerabilities, including Pulse Secure VPN flaws, Pydomer operators were observed mass scanning for and attempting to compromise unpatched Exchange servers.

“They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available,” the tech giant reveals.

The webshell dropped by the gang was observed on approximately 1,500 servers, but ransomware wasn’t deployed on all of them. However, it’s likely that the adversaries would attempt to monetize the obtained unauthorized access in a different manner, Microsoft says.

On systems where the ransomware was deployed, however, a “non-encryption extortion strategy” was adopted, with the attackers only dropping a ransom note to inform victims on their demands.

“The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data,” the tech company points out.

Within the past few weeks, another adversary to have joined the Exchange party was the gang behind the Lemon Duck cryptocurrency botnet, which employed “a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on various exploit styles in others.

“While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner,” Microsoft explains.

The company also underlines that attacks targeting Exchange servers may continue to impact organizations even after patches have been applied, through the use of stolen credentials, or persistent access.

“Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates,” Microsoft concludes.

Related: Microsoft Defender Antivirus Now Protects Users Against Ongoing Exchange Attacks

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack