The latest research published by Check Point shows a resurgence in WannaCry ransomware attacks. It has been almost four years since the ransomware first appeared and was used in a massive global campaign that encrypted an estimated 200,000 computers in 150 countries. Check Point’s telemetry shows there was a 53% increase in WannaCry ransomware in March compared to January. The initial attacks were thwarted when a kill switch was identified and activated. The latest variant has had the kill switch removed.
As was the case in the May 2017 campaign, the ransomware is still using the EternalBlue exploit to worm its way into all vulnerable computers on a network, even though the patch to fix the Windows Server Message Block vulnerability it exploits was released by Microsoft 4 years ago. Data from TrendMicro indicates WannaCry was the top ransomware family in the Americas in January 2021 with 1,240 detections. Check Point’s figures show the increase in attacks started in December 2021, and there were more than 13,000 attacks in March 2021.
WannaCry is far from the only ransomware family that has seen an increase in activity in the past few months. Overall, ransomware attacks increased by 53% in the past 6 months according to Check Point, with the volume of attacks increasing by 9% each month since January 2021. The United States is the most targeted country with 12% of attacks, followed by Israel (9%), and India (7%).
Check Point researchers have also observed a major increase in cyberattacks exploiting the ProxyLogon vulnerability in Microsoft Exchange Server – CVE-2021-27065. The severity of the flaw prompted Microsoft to release out-of-band patches on March 3, 2021 to correct the flaw along with a stern warning to patch the flaws immediately as the Chinese nation state hacking group Hafnium was actively exploiting the vulnerability. Several other threat groups are now exploiting the flaw.
It has been almost a month since the patches were released, yet there are still many companies that have yet to update their Microsoft Exchange Servers. Check Point notes that attacks exploiting the flaws have tripled in the past week, with the flaw often exploited to gain access to networks to deliver ransomware, including the DearCry and Black Kingdom ransomware variants. Microsoft’s data indicates there were still around 14,000 vulnerable Exchange servers on March 14, 2021 that had still not been patched. The most targeted sectors are the government/military and banking and finance, which account for 49% of attacks exploiting the ProxyLogon flaw.
These attacks highlight the importance of promptly patching vulnerabilities. Check Point has joined Microsoft and the Department of Homeland Security Cybersecurity and infrastructure Security Agency (CISO) in raising the alarm and urging all organizations to patch the ProxyLogon flaw immediately to prevent exploitation.
“We’re urging organizations to act now, before ransomware gangs make Exchange exploits popular. In cybercrime, we rarely see businesses that demonstrate constant growth, or rapid adjustments to changing factors, as well as quick adoptions of new technologies. Ransomware is one of those rare businesses,” said Check Point threat intelligence manager Lotem Finkelsteen.