October 13, 2023 at 02:22PM
Security researchers have discovered the first ransomware campaign targeting organizations using a vulnerability in Progress Software’s WS_FTP Server. The campaign, carried out by the “Reichsadler Cybercrime Group,” demanded a ransom of 0.018 Bitcoin (approximately $500) to recover encrypted files. Sophos’s product prevented the download of the ransomware payload, and patches for the vulnerabilities were released on September 27. The severity of the bug prompted urgent calls for organizations to apply the patches. Around 2,900 hosts were found to be running the affected software.
Key Takeaways from Meeting Notes:
1. Security researchers have identified the first ransomware campaign against organizations using the vulnerability in Progress Software’s WS_FTP Server.
2. The ransomware criminals behind the campaign extracted the code from the leaked LockBit 3.0 program.
3. The attackers are likely inexperienced and were not successful in encrypting any files.
4. The Reichsadler Cybercrime Group, a previously unknown gang, was identified as being behind the attack.
5. The ransom note demanded a payment of 0.018 Bitcoin, equivalent to less than $500.
6. This ransom amount is significantly lower than what is typically demanded by more established cybercriminal operations.
7. The location of the cybercrime group is unknown, but the payment deadline was set to Moscow Standard Time.
8. Sophos’s product was able to prevent the download of the ransomware payload by triggering a rule designed to stop known intrusion tactics.
9. Patch updates for the vulnerabilities in WS_FTP were released on September 27.
10. The first wave of attacks exploiting the vulnerabilities was spotted three days after the patch release, indicating early mass exploitation attempts.
11. The severity of the remote code execution bug and the availability of proof of concept (PoC) code prompted urgent calls for organizations to apply the patches.
12. Progress Software assigned the vulnerability a maximum severity score of 10, while NIST’s National Vulnerability Database rated it as “high” with a CVSS score of 8.8.
13. It was estimated that around 2,900 hosts were running the vulnerable file transfer software as of October 4, according to security company Assetnote.