Thwarted ransomware raid targeting WS_FTP servers demanded just 0.018 BTC

Early attempt to exploit latest Progress Software bug spotted in the wild

An early ransomware campaign against organizations by exploiting the vulnerability in Progress Software's WS_FTP Server was this week spotted by security researchers.

Sophos X-Ops revealed on Thursday its customers have been targeted by criminals who lifted their ransomware code from LockBit 3.0, which was leaked last year, shortly after this latest strain was created.

The crooks behind the campaign are likely to be inexperienced and weren't ultimately successful in their attempts. The ransomware failed to run as anticipated and encrypt any files – Sophos said its antivirus was able to block it – allowing the payload to be captured and examined.

That's good news for the intended victims, though it appears WS_FTP Server was exploited successfully and malicious intermediary code was run. That code attempted to fetch and deploy the ransomware, which was blocked.

It was possible to dig out the ransom note that's dropped during successful attacks from the ransomware payload. That note revealed the group behind the intrusion was the Reichsadler Cybercrime Group – an unheard-of gang whose name is taken from the eagle found on coats of arms in Germany, including those adopted by the Nazi regime.

The note demanded just 0.018 Bitcoin as a payment to recover encrypted files – a sum equivalent to less than $500.

The ransom is vastly lower than what is expected of more established cybercriminal operations. LockBit claimed this week in an update to its attack on CDW that the company offered just $1.1 million of the total $80 million that was demanded of it.

It's generally understood that ransomware gangs will demand a fee of around 3 percent of whatever they calculate the target's annual revenue to be, though these calculations are sometimes based on wrong information and can be incorrectly inflated.

The location of Reichsadler Cybercrime Group's operation isn't known, though the ransom note set the payment deadline time to Moscow Standard Time. This could suggest a Russian operation or one in another country attempting to disguise their true location.

Sophos said it was able to stop the download of the ransomware payload after the attack triggered a rule designed to prevent a known intrusion tactic (MITRE ATT&CK technique T1071.001).

Patches for the eight vulnerabilities in WS_FTP were released on September 27 and Rapid7's researchers spotted the first wave of attacks exploiting the vulnerabilities three days later.

Evidence pointed to early mass exploitation attempts following the release of proof of concept (PoC) code just two days after the patches were made available, severely limiting the time in which affected organizations had to implement them.

The severity of the remote code execution bug, combined with the availability of the PoC code, prompted wide calls from the industry to apply the patches urgently.

Progress Software assigned it a maximum severity score of 10, while NIST's National Vulnerability Database assigned it a "high" CVSS score of 8.8. 

According to researchers at security company Assetnote, which was credited with the bug's discovery, telemetry showed around 2,900 hosts were running the file transfer software as of October 4. ®

Send us news

What is RansomHub? Looks like a Knight ransomware reboot

Malware code potentially sold off, tweaked, back at it infecting victims

Frontier Communications: 750k people's data stolen in April attack on systems

Company says just names and SSNs affected, watering down RansomHub’s claims

Ukrainian cops collar Kyiv programmer believed to be Conti, LockBit linchpin

28-year-old accused of major ransomware attacks across Europe

White House report dishes deets on all 11 major government breaches from 2023

The MOVEit breach and ransomware weren’t kind to the Feds last year

Akira: Perhaps the next big thing in ransomware, says Tidal threat intelligence chief

Scott Small tells us gang's 'intent and capability' should get the attention of CSOs

Cops cuff 22-year-old Brit suspected of being Scattered Spider leader

Spanish plod make arrest at airport before he jetted off to Italy

FBI encourages LockBit victims to step right up for free decryption keys

The bad news? Gang wasn't deleting victim data after payments

Blackbaud has to cough up a few million dollars more over 2020 ransomware attack

Four years on and it's still paying for what California attorney general calls 'unacceptable' practice

Christie's stolen data sold to highest bidder rather than leaked, RansomHub claims

Experts say auctioning the auctioneer’s data is unlikely to have been genuinely successful

US senator claims UnitedHealth's CEO, board appointed 'unqualified' CISO

Similar cases have resulted in serious sanctions, and they were on a far smaller scale

Pretty much all the headaches at MSPs stem from cybersecurity

More cybercrime means more problems as understaffed teams stretched to the limit

Auction house Christie’s confirms criminals stole some client data

Centuries-old institution dodges questions on how it happened as ransomware gang claims credit