MICROSOFT Corp has detected and blocked a "new family of ransomware" that was being used against servers that still hadn't patched vulnerabilities after last week's major security breach.
The updates it released last Friday are a temporary measure to defend against attacks, which were already occurring in many places, the company said.
The company discovered suspected Chinese state-sponsored hackers were exploiting previously unknown vulnerabilities in Microsoft's widely used Exchange business e-mail software earlier in March. Even as it issued a patch for those systems, hackers rushed to find companies that had yet to install Microsoft's fix.
BitSight Technologies, a Boston-based cybersecurity firm, said that based on internet-wide scans it had done last week, nearly one-third of vulnerable Microsoft Exchange customers have yet to patch their systems. Those customers would are now also vulnerable to the new ransomware attacks until those patches are installed.
Hackers are using the weaknesses introduced in the original attacks, including secret entry points inserted in victims' systems, to gain access. Governments have been hounding businesses to install the patches - the Australian government has issued at least three warnings in nine days - and Microsoft has warned organisations to take urgent action to forestall damage.
This latest update "means that Microsoft is concerned that people haven't patched", said Robert Potter, a cybersecurity expert based in Canberra, Australia. "If you've already been hit, there's very little you can do. You better hope your backups work, because you're not going to get decrypted." Ransomware targets so far have been small to medium-sized organisations victimised by hackers using relatively simple malware dubbed DOJOCRYPT or DearCry, said Kimberly Goody, senior manager of cybercrime analysis at Mandiant Threat Intelligence. Small companies are less likely to have dedicated IT staff to install patches immediately.
The network monitoring firm RiskIQ, working closely with Microsoft, says the number of vulnerable Exchange servers has plummeted in the last 10 days, from hundreds of thousands down to about 83,000. But their data analysis also shows that networks for banks, health care and pharmaceutical institutions remain vulnerable, as do systems for federal, state and local governments.
"If SolarWinds was a tactical missile strike, this one was a nuclear bomb," said Elias Manousos, CEO and founder of RiskIQ. "Attackers are just trying to create as much chaos as possible." BLOOMBERG