The Week in Ransomware, December 23rd 2022 Targeting Microsoft Exchange

This week’s reports show that Microsoft Exchange is a target of threat actors who want to gain access to corporate networks in order to steal data or deploy ransomware.

CrowdStrike’s researchers discovered this week that Play ransomware used a . This exploit chained exploits to CVE-2022-4082 and CVE-2022-40802 to get initial access to corporate networks.

This access was then used by the ransomware to steal data from and encrypt network devices.

ProDaft also revealed that Microsoft Exchange was being targeted heavily by threats actors. This week, the called “Checkmarks” that attacks Microsoft Exchange.

The platform scans Exchange servers automatically, exploits security holes to gain access and downloads the data from them.

FIN7 then would evaluate the company and determine if ransomware is worth it.

Victim details on FIN7’s Checkmarks platform

Source: ProDaft

TrendMicro in our September Report that an was rebranded as Royal Ransomware .

This week’s reports also shed some light on ransomware operations.

This week’s ransomware stories and contributors include @BleepinComputer and @FourOctets.

December 19, 2022

Play ransomware gang claimed the responsibility for a cyberattack on (, which caused communication disruptions for the company.

Reveton ransomware was created in 2012. It’s considered to be the first Ransomware-as-a-Service (RaaS) operation ever. RaaS enabled criminal gangs to carry out attacks without restriction since then. Almost anyone can now create malware campaigns that are highly efficient.

December 20, 2022

The Play ransomware threat actor uses a new exploit to bypass ProxyNotShell URL redirect mitigations and gain remote code execution on vulnerable servers via Outlook Web Access (OWA).

Nokoyawa ransomware, which was shared code with Karma ransomware in February 2022. The Nemty ransomware can be further traced back to Nokoyawa ransomware. Nokoyawa ransomware’s original code was in C. File encryption used asymmetric Elliptic Curve Cryptography with Curve SECT233R1 and Curve ECC (a.k.a. NIST B233 uses Tiny-ECDH, an open-source library that combines a Salsa20 symmetric keys per file. Nokoyawa ransomware2.0 still uses Salsa20 forsymmetric encryption but Curve25519 was adopted.

discovered new STOP ransomware variations that add the , and HTML3_ extensions.

Dec 21st, 2022

Researchers may not have discovered Royal ransomware until September 2022. However, it was first detected by cybercriminals in the form of experienced hackers. According to Vitali Kremez’s mindmap, these threat actors were once part of Conti Team One. They initially called it Zeon ransomware before changing it to Royal ransomware.

PCrisk discovered the HardBit 2.0 ransomware. It adds the .hardbit2 Extension and drops ransom notes titled How to Restore Your Files.txt.

PCrisk discovered a new STOP ransomware version that adds the .iswr extension.

December 22, 2022

Vice Society’s ransomware operation switched to a customized ransomware encrypt. This implements a strong hybrid encryption scheme based upon NTRUEncrypt, ChaCha20 and Poly1305.

The notorious hacker group FIN7 uses an automated attack system to exploit Microsoft Exchange and SQL injection weaknesses. This allows them to break into corporate networks and steal data. They also select financial targets as ransomware targets.

Play, a relatively newcomer in the ransomware world, was first detected in June 2022. Play is both the ransomware executable’s name and the group that developed it. Play, like many others in the space has used the double-extortion method of encryption endpoints and/or infrastructure within organizations and then threat to upload exfiltrated data on the internet if the ransom isn’t paid.

This is it for this week. We hope everyone had a wonderful holiday!