In a recent ransomware attack, cyber-experts identified a malicious campaign that exploited a security vulnerability in Progress Software’s WS_FTP Server to target organizations.
The attackers attempted to deploy ransomware, but their efforts failed as their ransomware code, derived from LockBit 3.0, did not execute as planned. Sophos X-Ops, a cybersecurity firm, identified the attackers as inexperienced, leading to Sophos’ antivirus software neutralizing their ransomware.
Although the ransomware attack was thwarted, it became evident that the WS_FTP Server had suffered a compromise, resulting in the execution of malicious code. The ransom note, attributed to the relatively unknown Reichsadler Cybercrime Group, demanded a modest ransom of 0.018 Bitcoin (less than $500) for decrypting the files, significantly lower than the demands of more established cybercriminal operations.
The location of the Reichsadler Cybercrime Group remains undisclosed, but the payment deadline was set to Moscow Standard Time, suggesting a potential Russian-based operation or an attempt to hide their true location.
Sophos successfully blocked the download of the ransomware payload by activating a rule designed to counter a recognized intrusion technique. Patches for the WS_FTP Server vulnerabilities were released on September 27, and just three days later, there were documented attacks exploiting these vulnerabilities. The release of proof-of-concept (PoC) code shortly after the patches became available indicated early and widespread exploitation attempts, reducing the time available for organizations to apply the patches.
The severity of the remote code execution vulnerability and the availability of PoC code prompted urgent calls for organizations to apply the patches. Progress Software and the NIST’s National Vulnerability Database assigned high severity scores to the vulnerability. Security company Assetnote, credited with discovering the bug, reported that approximately 2,900 hosts were still running the vulnerable file transfer software as of October 4.
Article Source: The register.
Please do let us know in the comment section what are your thoughts about this.