Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/2/2021
04:50 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Inside the Ransomware Campaigns Targeting Exchange Servers

Security experts discuss the ransomware campaigns taking aim at Microsoft Exchange Server vulnerabilities patched last month.

As organizations around the world scrambled to patch critical Microsoft Exchange Server flaws patched last month, criminals upped the ante with multiple ransomware campaigns targeting vulnerable servers.

Related Content:

Microsoft Exchange Server Attacks: 9 Lessons for Defenders

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Build a Resilient IoT Framework

News of ransomware activity first emerged on March 12, only 10 days after Microsoft released the patches, and it arrived as researchers noticed an uptick in ransomware attacks following the disclosure of the Exchange Server zero-days. In the week ending March 30, the number of attacks involving the Exchange Server flaws had tripled to more than 50,000 around the world. 

Check Point Research reports the industries most targeted in these attacks include government and military, manufacturing, and banking and finance. The most affected country is the United States, which makes up 49% of all exploit attempts, the United Kingdom (5%), the Netherlands (4%), and Germany. 

The first ransomware variant to appear was DearCry/DoejoCrypt, which copies and encrypts files then overwrites and deletes the originals, a tactic seen earlier in WannaCry ransomware.

DoejoCrypt attacks begin with a variant of the China Chopper Web shell being deployed to an Exchange Server post-exploitation, Microsoft explains in a writeup. The Web shell writes a batch file to C:\Windows\Temp\xx.bat; on all systems hit with this ransomware, this batch file does a backup of the Security Account Manager (SAM) database and the System and Security registry hives, which give attackers later access to the passwords of local users on the system.

Microsoft points out that because of the configurations that admins normally use on Exchange Servers, many infected systems likely have at least one service or scheduled task configured with a highly privileged account to perform tasks such as backups.

"As service account credentials are not frequently changed, this could provide a great advantage to an attacker even if they lose their initial Web shell access due to an antivirus detection," the Microsoft 365 Defender Threat Intelligence Team explains in their blog post.

The encryption header that DoejoCrypt adds to infected files is similar to the header used in the WannaCry attacks, writes Sophos director of engineering Mark Loman in a blog post, noting this "seems more than a coincidence." Analysis of DoejoCrypt samples revealed the binaries had no defense against antivirus signatures and all ransomware text strings were left "in plain sight." 

As of Microsoft's March 25 post, the DoejoCrypt payload is "the most visible outcome" of the attackers' actions; however, their access to credentials could help them in future campaigns.

"I expect anybody who hasn't patched or mitigated the Web shells that were placed over the past month to be in a pretty rough spot," says Juan Guerrero-Saade, principal threat researcher at SentinelOne. "This has become available to anybody now," he says of the exploits.

Black KingDom: A Second Campaign Emerges
On Thursday, March 18, Sophos telemetry revealed another ransomware gang targeting vulnerable Exchange servers.

"Typically these campaigns start before the weekend because the majority of IT [teams] are understaffed on the weekend or typically don't monitor their network," Loman says in an interview with Dark Reading. The likelihood of this is even greater for organizations that haven't prioritized patching their vulnerable on-premises Exchange Server, he adds. 

Loman calls the Black KingDom ransomware "a bit of an oddball" and points out it has virtually nothing in common with DoejoCrypt, aside from the fact it targets the same vulnerability. 

Black KingDom is "rudimentary and amateurish," he writes in a blog post, and likely created by a "motivated script kiddie" because of the way it's constructed. The ransomware was written in Python and compiled in a way that left its original source code embedded within the ransomware binary, which researchers reverse-engineered to dig up the original source code.

Its amateur nature is evident in Black KingDom's approach to file encryption, which Loman calls the most interesting aspect of this ransomware. Normally, ransomware chooses a unique file extension for every file it encrypts, which ensures those file types won't be encrypted twice, he explains. Black KingDom chooses a random file extension for every file it encrypts.

"That is really odd," Loman notes. The ransomware also does not check if a file has already been encrypted, a step that other common forms of ransomware usually take. 

"What we call 'big game' ransomware actors, like Ryuk or REvil or Clop, they all have these types of checks in their code so they don't encrypt the system twice," he explains. Black KingDom's closest approach to this kind of "check" is a specific ransom note dropped on a victim's machine. But if a victim removes the note, the machine can be encrypted again — making decryption much more difficult, even if the ransom is paid. 

Further, he adds, Black KingDom's ransom demand was $10,000, a small amount compared with some of today's high ransom demands.

Loman admits he was surprised a comparatively amateurish group was able to pull this off given that Hafnium, the first group linked to any attacks targeting these vulnerabilities, is an advanced group linked to the Chinese government. He speculates Black KingDom may be related to a ransomware of the same name seen last year targeting machines running a vulnerable version of the Pulse Secure VPN concentrator software.

"There are several ways to get your ransomware delivered in businesses, but this group was specifically focusing on abusing a vulnerability on Internet-facing devices," he says. In this way, they are making use of the low patching frequency of businesses running on-premises Exchange servers.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ViralT201
50%
50%
ViralT201,
User Rank: Author
4/16/2021 | 8:19:02 AM
Ransomware
Simply being security-conscious is no longer enough, nor is having a prevention-only strategy. Companies must become cyber-resilient—capable of surviving attacks, maintaining operations
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31607
PUBLISHED: 2021-04-23
In SaltStack Salt 2016.9 through 3002.6, a command injection vulnerability exists in the snapper module that allows for local privilege escalation on a minion. The attack requires that a file is created with a pathname that is backed up by snapper, and that the master calls the snapper.diff function...
CVE-2021-31597
PUBLISHED: 2021-04-23
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
CVE-2021-2296
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2297
PUBLISHED: 2021-04-22
Vulnerability in the Oracle VM VirtualBox product of Oracle Virtualization (component: Core). The supported version that is affected is Prior to 6.1.20. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromi...
CVE-2021-2298
PUBLISHED: 2021-04-22
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 8.0.23 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attac...