The first ransomware campaign against organizations using the vulnerability in Progress Software’s WS_FTP Server was this week spotted by security researchers.
Sophos X-Ops revealed on Thursday that its customers have recently been targeted by ransomware criminals who have lifted the code from the LockBit 3.0 program that was leaked last year, shortly after it was created.
The criminals behind the campaign are likely to be inexperienced and weren’t ultimately successful in their attempts.
As the ransomware failed to encrypt any files, the researchers were able to analyze the payload in a bid to identify who was behind the attack.
Recovering the ransom note that’s dropped during successful attacks, the group was revealed as the “Reichsadler Cybercrime Group” – an unheard-of gang whose name is taken from the eagle found on coats of arms in Germany, including those adopted by the Nazi regime.
The note demanded just 0.018 Bitcoin as a payment to recover encrypted files – a sum equivalent to less than $500.
The ransom is vastly lower than what is expected of more established cybercriminal operations. LockBit claimed this week in an update to its attack on CDW that the company offered just $1.1 million of the total $80 million that was demanded of it.
It’s generally understood that ransomware gangs will demand a fee of around 3 percent of whatever they calculate the target’s annual revenue to be, though these calculations are sometimes based on wrong information and can be incorrectly inflated.
The location of Reichsadler Cybercrime Group’s operation isn’t known, though the ransom note set the payment deadline time to Moscow Standard Time. This could suggest a Russian operation or one in another country attempting to disguise their true location.
Sophos’s product was able to stop the download of the ransomware payload after the attack triggered a rule designed to prevent a known intrusion tactic (MITRE ATT&CK technique T1071.001).
Patches for the eight vulnerabilities in WS_FTP were released on September 27 and Rapid7’s researchers spotted the first wave of attacks exploiting the vulnerabilities three days later.
Evidence pointed to early mass exploitation attempts following the release of proof of concept (PoC) code just two days after the patches were made available, severely limiting the time in which affected organizations had to implement them.
The severity of the remote code execution bug, combined with the availability of the PoC code, prompted wide calls from the industry to apply the patches urgently.
Progress Software assigned it a maximum severity score of 10, while NIST’s National Vulnerability Database assigned it a “high” CVSS score of 8.8.
According to researchers at security company Assetnote, which was credited with the bug’s discovery, telemetry showed around 2,900 hosts were running the file transfer software as of October 4. ®