Concern as Ransomware and Exchange Server Attacks Surge

There are growing concerns that more unpatched Microsoft Exchange servers could be compromised in ransomware attacks after Check Point revealed major recent surges in ProxyLogon attacks and ransomware.

The security vendor claimed in new figures released today that it has detected a 57% increase in ransomware attacks over the past six months, with the number of affected organizations growing by 9% each month so far in 2021.

Human-operated variants such as Maze and Ryuk have been particularly prevalent over the period, with the US (12%), Israel (8%) and India (7%) the most affected countries.
Amazingly, WannaCry is trending again, four years after it caused global panic. Still using EternalBlue to propagate, the worm affected 53% more organizations in March than the start of the year.

At the same time as the continued surge in ransomware, Check Point has seen the number of attacks exploiting the ProxyLogon vulnerability to attack Exchange servers triple over the past week alone.

The most affected sectors are government/military, manufacturing and banking/finance, with the nearly half (49%) of all exploit attempts in the US, followed by the UK (5%), the Netherlands (4%) and Germany (4%).

Microsoft was the first to warn users that vulnerable Exchange endpoints could be hijacked by attackers to deploy ransomware. The DearCry variant was spotted doing so in the wild.

A few days later Sophos detected Black Kingdom ransomware being deployed in a similar way.

“The threat actor exploited the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065),” concern ransomware exchange server attacks surge