Malware, Ransomware

‘The race is on’: CISA raises alarm bells about ransomware attacks against Microsoft Exchange servers

Brandon Wales, acting executive director of the Cybersecurity and Infrastructure Security Agency, issued both a warning and a hopeful message Monday to organizations struggling with the scourge of ransomware.

The warning: “the race is on” between government, industry and an increasingly professionalized criminal underground to identify digital weaknesses that can be leveraged in ransomware campaigns, like the vulnerabilities identified in Microsoft Exchange servers. As long as the operating business model used by these groups continues to reap sky-high profits, he said, the rising volume and trajectory of attacks is unlikely to abate and there is no tool or policy sitting in the back pockets of law enforcement or industry waiting to be unleashed.

“We have not cracked the code. The ransomware problem continues to grow and we need more and new innovative thinking on this,” Wales admitted.

The hopeful message: the strategy of indiscriminate targeting used by many ransomware groups today can actually work in a defender’s favor. Because these groups fundamentally don’t care who they infect, they are unlikely to spend very much time trying to break into any one particular network. Therefore, by paying more attention to cybersecurity fundamentals, many organizations can take themselves out of the “low-hanging fruit” category.

“If you do the basics, it is highly likely that the ransomware operator will move on to someone else, they’re not going to waste their time trying to get into a hardened system,” said Wales. “They’re looking for the weakest link..for those really vulnerable entities, so if you’re keeping up with patching, if you’ve closed your forward-facing vulnerabilities, if you’ve got good anti-phishing measures in place for your email, there’s a good chance that these ransomware operators will move on.”

The agency is particularly concerned that recently disclosed vulnerabilities in Microsoft Exchange servers will become a locus of ransomware activity. Researchers already detected at least two groups leveraging the vulnerabilities to infect victims with ransomware – BlackKingdom and another unknown group deploying a new malware strain called DearCry – and Wales said the Exchange flaws are highly scriptable and allow for the kind of automated exploitation that could allow ransomware actors to wreak further havoc.

As of March 17, Palo Alto Networks reported that its Expanse platform has identified at least 49,000 vulnerable Exchange servers that remain unpatched and exposed to the internet, including 12,000 in the U.S., 4,800 in Germany, 2,600 in Italy, 2,600 in France and 2,500 in the U.K. While that represents a marked improvement from the 125,000 unpatched servers detected the week prior, Palo Alto said the figures are likely a conservative estimate of the true number of vulnerable servers in use today.

"We want organizations to investigate whether they have actual signs of compromise," Wales said, regarding the Exchange flaws. He stressed that a patched server does not mean an organization is in the clear.

“Patching is not sufficient because once an adversary gains access to the network, even if you patch, those actors can still maintain access to your network,” said Wales. “And unfortunately, we know from private sector companies that are conducting scans…that there are literally thousands of compromised servers that are currently patched and these systems owners may believe that they are protected, but in fact they are not.”

The messaging around ransomware from CISA and other agencies comes during a period when the criminal ransomware ecosystem has continued to thrive and expand, with the average ransom demand and payment nearly tripling and dozens of new groups and malware strains rushing onto the scene over the past year.

Law enforcement and private companies have coordinated in recent months to take down command and control infrastructure related to the Netwalker gang, as well as the Trickbot and Emotet botnets that often provide initial access for ransomware actors, but it’s far from clear at this point whether those actions have had any meaningful impact on the volume of ransomware attacks launched daily.

Wales’ advice that organizations combat the problem by focusing on the basics has been echoed by other cybersecurity experts who note that while the impact from ransomware groups is daunting, the underlying malware and attack vectors they use tend not to be particularly complex or sophisticated.

“One of the problems with ransomware is that, for as big of an issue as it is and is continuing to become, the [code] itself doesn’t tend to be particularly interesting from a technical perspective,” said Jen Miller-Osborn, deputy director of Palo Alto Network’s Unit 42 research team. “It’s just: get into environments and encrypt essentially, so when you look at it from a research component, it really isn’t…necessarily super hard to defend against.”

For now, CISA is doubling down on its educational role, coordinating with the FBI, NSA and other federal agencies to push out joint alerts about the latest ransomware-related threats to industry and pressing companies to join their industry-specific information sharing and analysis center.

Cybersecurity information sharing between government and industry is often complex and fraught with unforeseen complications. Still, some in industry think more can be done. Andrew Barrett, managing principal for solutions and investigations at Coalfire, told SC Media that CISA’s coordinating role and vantage point at the intersection of industry and government gives them a unique perspective on the technical and intelligence resources around the latest ransomware threats.

“They have a huge role to play in driving awareness of this issue, alongside potential mitigations and security standards,” said Barrett. “They may also be a good location to aggregate [indicator of compromise] data from multiple private sources – the question really will be whether they can react quickly enough to help from a defensive perspective.”

Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.