BleepingComputer reports that Microsoft Exchange servers are being compromised by BlackCat ransomware affiliates through unpatched flaw-targeted exploits.
Several BlackCat affiliates, including FIN12 and DEV-0504, have been leveraging vulnerable Exchange servers for initial access prior to distributing BlackCat ransomware payloads, according to the Microsoft 365 Defender Threat Intelligence Team. Microsoft noted that while FIN12 has previously attacked healthcare organizations with Conti, Hive, and Ryuk ransomware, the group has added BlackCat to its arsenal since March. "Their switch to BlackCat from their last used payload (Hive) is suspected to be due to the public discourse around the latter's decryption methodologies," said Microsoft.
DEV-0504 has also transitioned to BlackCat ransomware after having leveraged Conti, BlackMatter, REvil, LockBit 2.0, and Ryuk since December. Microsoft's report comes after the FBI had warned in April regarding the use of BlackCat ransomware in encrypting 60 or organizations' networks from November 2021 to March 2022. The FBI noted the association of BlackCat's developers and money launderers with DarkSide or BlackMatter in the previous advisory.
Ransomware
Microsoft Exchange servers targeted by BlackCat affiliates
An In-Depth Guide to Ransomware
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds