More ransomware operators are targeting the vulnerabilities that Microsoft disclosed in early March. The four zero-day bugs had been targeted in live attacks well before patches were released for them on March 2. While, the number of unpatched Exchange installations has dropped significantly, from roughly 80,000 on 14th March to fewer than 30,000 on 22nd March, the news isn’t good for those who still haven’t patched their versions of Microsoft Exchange.


Microsoft said: “More than 92% of known worldwide Exchange IPs have now been patched or mitigated – we continue to work with our customers and partners to mitigate the vulnerabilities.”


The number of attacks targeting the still-vulnerable servers hasn’t diminished. DoejoCrypt, also known as DearCry, was the first ransomware family to target the Exchange vulnerabilities more than two weeks ago, before the Black Kingdom/Pydomer ransomware recently joined the fray, according to Microsoft.


Known to be targeting publicly disclosed vulnerabilities, including Pulse Secure VPN flaws, Pydomer operators were observed mass scanning and attempting to compromise unpatched Exchange servers. The webshell dropped by the gang was observed on over 1,500 servers, but ransomware hadn’t yet been deployed on all of them. However, it’s likely that the adversaries would attempt to monetise the obtained unauthorised access in a different manner.


On systems where the ransomware was deployed, a “non-encryption extortion strategy” was adopted, with the attackers only dropping a ransom note to inform victims of their demands. Microsoft said: “The note should be taken seriously if encountered, as the attackers will have full access to systems and are likely able to exfiltrate data.”


Within the past few weeks, another adversary to have joined the Exchange party was the gang behind the Lemon Duck cryptocurrency botnet, which employed “a fileless/web shell-less option of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on various exploit styles in others.


“The Lemon Duck operators compromised numerous Exchange servers and moved in the direction of being more of a malware loader than a simple miner,” Microsoft explains.


The possibility that attacks targeting Exchange servers may continue to impact organisations even after patches have been applied, through the use of stolen credentials, or persistent access. Attackers exploit the on-premises Exchange Server vulnerabilities in combination to bypass authentication and gain the ability to write files and run malicious code. The best and most complete remediation for these vulnerabilities is to update to a supported Cumulative Update and to install all security updates.