Check Point: 50,000 Attempted Ransomware Attacks Target ExchangeNew Research Report Tracks Latest Global Trends
Check Point Research says it has spotted more than 50,000 ransomware attack attempts worldwide so far against unpatched on-premises Microsoft Exchange email servers.
Check Point says it's seen a 57% increase in overall ransomware attacks over the last six months, with attacks growing by 9% each month so far in 2021, based on its telemetry efforts. Some 3,868 organizations have been affected, according to the firm's new research report released Tuesday.
The Exchange attacks are being launched by a wide array of attackers, all of whom are taking advantage of Exchange exploits available in online crime forums, says Lotem Finkelsteen, Check Point's manager of threat intelligence.
"The number of cyberattacks on Microsoft Exchange servers tripled in the last week alone, bringing the total number of attacks on Microsoft Exchange servers documented by [Check Point Research] to over 50,000," Finkelsteen says.
He points out that many companies "are still paying the ransom demands," which is fueling the ramping up of attack campaigns.
U.S. in the Crosshairs
Some 49% of the on-premises Exchange ransomware attack attempts targeted organizations in the United States, followed by the U.K (5%), the Netherlands (4%) and Germany (4%), the report states. The most targeted industries in these regions are government/military, manufacturing and banking/finance.
Finkelsteen says the U.S. is the prime target because it's home to the largest number of Exchange servers in the world and users often have the financial resources to pay a ransom.
Microsoft said Thursday that ransomware activity against compromised on-premises Exchange servers remained limited.
Microsoft patched the four vulnerabilities in the on-premises version of Exchange Server on March 2. Around that time, RiskIQ estimated that about 400,000 on-premises Exchange servers were vulnerable. As of Thursday, Microsoft says, more than 92%, or around 368,000, have been patched or mitigated.
Exchange servers were aggressively targeted starting around Feb. 26. Microsoft attributed the initial activity to a suspected China-based group dubbed Hafnium, but other security companies report that as many as a half-dozen groups attacking Exchange servers prior to the patching.
In the last six months, Check Point says the U.S. was the most common target for all types of ransomware, accounting for 12% of attacks, followed by Israel (8%), India (7%) and Japan (6%), while Canada, Spain, Mexico, the United Kingdom, China and Portugal each account for 2%.
Check Point says attacks involving WannaCry wormable malware, which first struck four years ago, have increased 53% in the last six months.
"It's very disturbing to see there are organizations who are still vulnerable to a 4-year-old vulnerability," Finkelsteen says.
Trend Micro also recently reported that WannaCry was the most popular malware in use last year, followed by cryptocurrency miners and Emotet ransomware. WannaCry which, first popped onto the scene on May 12, 2017 used the EternalBlue exploit after the U.S. National Security Agency tool was released by the ShadowBrokers.
Attackers are also now commonly using the Ryuk, Egregor and Maze ransomware variants, Finkelsteen says.