Ransomware gangs taking advantage of Microsoft flaw: Expert

WASHINGTON • Ransom-seeking hackers have begun taking advantage of a recently disclosed flaw in Microsoft's widely used mail server software, a researcher has said - a serious escalation that could portend widespread digital disruption.

The disclosure, made on Twitter by Microsoft security programme manager Phillip Misner late on Wednesday, is the realisation of worries that have been coursing through the security community for days.

Since March 2, when Microsoft announced the discovery of serious vulnerabilities in its Exchange software, experts have warned that it was only a matter of time before ransomware gangs began using them to shake down organisations across the Internet.

Tens of thousands of organisations have already been compromised, Reuters reported last week, and new victims are being made public daily.

Earlier on Wednesday, for example, Norway's Parliament announced data had been "extracted" in a breach linked to the Microsoft flaws. Germany's cyber security watchdog agency also said on Wednesday that two federal authorities had been affected by the hack.

Microsoft yesterday said it has detected and blocked a "new family of ransomware" that was being used against servers that still had not patched vulnerabilities after last week's major security breach.

The updates it released yesterday are a temporary measure to defend against attacks, which were already occurring in many places, the company said.

The US Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation did not immediately respond.

Even though the security holes announced by Microsoft have since been fixed, organisations worldwide have failed to patch their software, leaving them open to exploitation. In Germany alone, officials have said up to 60,000 networks remained vulnerable.

The fixes are free, but experts attribute the sluggish pace of many customers' updates in part to the complexity of Exchange's architecture.

All manner of hackers have begun taking advantage of the holes - one security firm recently counted 10 separate hacking groups using the flaws - but ransomware operators are among the most feared.

Those groups work by locking users out of their devices and data unless the victims cough up big chunks of digital currency.

They now potentially have access to "a huge number of vulnerable systems", said Mr Brett Callow of Canadian cyber security company Emsisoft.

He said more modest companies - many of which lack the ability or awareness to update their software - could be particularly affected by the latest variant of ransomware.

"This is a potentially serious risk to small businesses," he added.

Hackers are using the weaknesses introduced in the original attacks, including secret entry points inserted in victims' systems, to gain access.

Cyber security company ESET said in a blog post on Wednesday that there were already signs of cyber criminal exploitation, with one group that specialises in stealing computer resources to mine cryptocurrency breaking in to previously vulnerable Exchange servers to spread its malicious software.

Governments have been hounding businesses to install the patches - the Australian government has issued at least three warnings in nine days - and Microsoft has warned organisations to take urgent action to forestall damage.

This latest update "means that Microsoft is concerned that people haven't patched", said Mr Robert Potter, a cyber security expert based in Canberra, Australia.

"If you've already been hit, there's very little you can do. You better hope your backups work, because you're not going to get decrypted."

REUTERS, BLOOMBERG