Microsoft Corp. has detected and blocked a “new family of ransomware” that was being used against servers that still hadn’t patched vulnerabilities after last week’s major security breach. The updates it released on Friday are a temporary measure to defend against attacks, which were already occurring in many places, the company said.
The company discovered suspected Chinese state-sponsored hackers were exploiting previously unknown vulnerabilities in Microsoft’s widely used Exchange business email software earlier in March. Even as it issued a patch for those systems, hackers rushed to find companies that had yet to install Microsoft’s fix.
BitSight Technologies, a Boston-based cybersecurity firm, said that based on internet-wide scans it had done this week nearly one-third of vulnerable Microsoft Exchange customers have yet to patch their systems. Those customers would are now also vulnerable to the new ransomware attacks until those patches are installed.
Hackers are using the weaknesses introduced in the original attacks, including secret entry points inserted in victims’ systems, to gain access. Governments have been hounding businesses to install the patches — the Australian government has issued at least three warnings in nine days — and Microsoft has warned organizations to take urgent action to forestall damage.
This latest update “means that Microsoft is concerned that people haven’t patched,” said Robert Potter, a cybersecurity expert based in Canberra, Australia. “If you’ve already been hit there’s very little you can do. You better hope your backups work, because you’re not going to get decrypted.”
Ransomware targets so far have been small to medium-sized organizations victimized by hackers using relatively simple malware dubbed DOJOCRYPT or DearCry, said Kimberly Goody, senior manager of cybercrime analysis at Mandiant Threat Intelligence. Small companies are less likely to have dedicated IT staff to install patches immediately.
The network monitoring firm RiskIQ, working closely with Microsoft, says the number of vulnerable Exchange servers has plummeted in the last 10 days, from hundreds of thousands down to about 83,000. But their data analysis also shows that networks for banks, health care and pharmaceutical institutions remain vulnerable, as do systems for federal, state and local governments.