Inside the Ransomware Campaigns Targeting Exchange Servers

Inside the Ransomware Campaigns Targeting Exchange Servers
Security experts discuss the ransomware campaigns taking aim at Microsoft Exchange Server vulnerabilities patched last month.

As organizations around the world scrambled to patch critical Microsoft Exchange Server flaws patched last month, criminals upped the ante with multiple ransomware campaigns targeting vulnerable servers.


News of ransomware activity first emerged on March 12, only 10 days after Microsoft released the patches, and it arrived as researchers noticed an uptick in ransomware attacks following the disclosure of the Exchange Server zero-days. In the week ending March 30, the number of attacks involving the Exchange Server flaws had tripled to more than 50,000 around the world. 


Check Point Research reports the industries most targeted in these attacks include government and military, manufacturing, and banking and finance. The most affected country is the United States, which makes up 49% of all exploit attempts, the United Kingdom (5%), the Netherlands (4%), and Germany. 


The first ransomware variant to appear was DearCry/DoejoCrypt, which copies and encrypts files then overwrites and deletes the originals, a tactic seen earlier in WannaCry ransomware.


DoejoCrypt attacks begin with a variant of the China Chopper Web shell being deployed to an Exchange Server post-exploitation, Microsoft explains in a writeup. The Web shell writes a batch file to C:WindowsTempxx.bat; on all systems hit with this ransomware, this batch file does a backup of the Security Account Manager (SAM) database and the System and Security registry hives, which give attackers later access to the passwords of local users on the system.


Microsoft points out that because of the configurations that ad ..

Support the originator by clicking the read the rest link below.