Security News > 2022 > June > Microsoft: Exchange servers hacked to deploy BlackCat ransomware
Microsoft says BlackCat ransomware affiliates are now attacking Microsoft Exchange servers using exploits targeting unpatched vulnerabilities.
Two weeks after the initial compromise using an unpatched Exchange server as an entry vector, the threat actor deployed BlackCat ransomware payloads across the network via PsExec.
While Microsoft did not name the ransomware affiliate who deployed BlackCat ransomware in this case study, the company says several cybercrime groups are now affiliates of this Ransomware as a Service operation and are actively using it in attacks.
BlackCat ransomware is also being deployed by an affiliate group tracked as DEV-0504 that typically exfiltrates stolen data using Stealbit, a malicious tool the LockBit gang provides its affiliates as part of its RaaS program.
To defend against BlackCat ransomware attacks, Microsoft advises organizations to review their identity posture, monitor external access to their networks, and update all vulnerable Exchange servers in their environment as soon as possible.
In April, the FBI warned in a flash alert that the BlackCat ransomware had been used to encrypt the networks of at least 60 organizations worldwide between November 2021 and March 2022.
News URL
Related news
- Microsoft: Exchange 2016 reaches extended end of support in October (source)
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft: August updates cause Windows Server boot issues, freezes (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- VMware ESXi Servers Targeted by New Ransomware Variant from Cicada3301 Group (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Ransomware gangs now abuse Microsoft Azure tool for data theft (source)