Security Experts:

Connect with us

Hi, what are you looking for?



More Ransomware Gangs Targeting Vulnerable Exchange Servers

The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.

The Black Kingdom/Pydomer ransomware operators have joined the ranks of threat actors targeting the Exchange Server vulnerabilities that Microsoft disclosed in early March.

The zero-day bugs, four in total, had been targeted in live attacks well before patches were released for them on March 2, with exponentially more adversaries picking them up over the past three weeks, despite the availability of additional mitigations.

The number of unpatched Exchange installations has dropped significantly, going from roughly 80,000 on March 14 to fewer than 30,000 on March 22.

“As of today, we have seen a significant decrease in the number of still-vulnerable servers – more than 92% of known worldwide Exchange IPs are now patched or mitigated. We continue to work with our customers and partners to mitigate the vulnerabilities,” Microsoft noted in a March 25 blog post.

The number of attacks targeting the still-vulnerable servers, however, hasn’t diminished. In fact, the tech company reveals that additional ransomware families and botnets are now attempting to compromise the vulnerable servers.

DoejoCrypt, also known as DearCry, was the first ransomware family to target the Exchange vulnerabilities, more than two weeks ago. The Black Kingdom/Pydomer ransomware has since joined the fray, Microsoft says.

Known to be targeting publicly disclosed vulnerabilities, including Pulse Secure VPN flaws, Pydomer operators were observed mass scanning for and attempting to compromise unpatched Exchange servers.

“They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available,” the tech giant reveals.

The webshell dropped by the gang was observed on approximately 1,500 servers, but ransomware wasn’t deployed on all of them. However, it’s likely that the adversaries would attempt to monetize the obtained unauthorized access in a different manner, Microsoft says.

On systems where the ransomware was deployed, however, a “non-encryption extortion strategy” was adopted, with the attackers only dropping a ransom note to inform victims on their demands.

“The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data,” the tech company points out.

Within the past few weeks, another adversary to have joined the Exchange party was the gang behind the Lemon Duck cryptocurrency botnet, which employed “a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on various exploit styles in others.

“While still maintaining their normal email-based campaigns, the Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner,” Microsoft explains.

The company also underlines that attacks targeting Exchange servers may continue to impact organizations even after patches have been applied, through the use of stolen credentials, or persistent access.

“Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates,” Microsoft concludes.

Related: Microsoft Defender Antivirus Now Protects Users Against Ongoing Exchange Attacks

Related: Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.