Thwarted ransomware raid targeting WS_FTP servers demanded just 0.018 BTC

An early ransomware campaign against organizations by exploiting the vulnerability in Progress Software's WS_FTP Server was this week spotted by security researchers.

Sophos X-Ops revealed on Thursday its customers have been targeted by criminals who lifted their ransomware code from LockBit 3.0, which was leaked last year, shortly after this latest strain was created.

The crooks behind the campaign are likely to be inexperienced and weren't ultimately successful in their attempts. The ransomware failed to run as anticipated and encrypt any files – Sophos said its antivirus was able to block it – allowing the payload to be captured and examined.

That's good news for the intended victims, though it appears WS_FTP Server was exploited successfully and malicious intermediary code was run. That code attempted to fetch and deploy the ransomware, which was blocked.

It was possible to dig out the ransom note that's dropped during successful attacks from the ransomware payload. That note revealed the group behind the intrusion was the Reichsadler Cybercrime Group – an unheard-of gang whose name is taken from the eagle found on coats of arms in Germany, including those adopted by the Nazi regime.

The note demanded just 0.018 Bitcoin as a payment to recover encrypted files – a sum equivalent to less than $500.

The ransom is vastly lower than what is expected of more established cybercriminal operations. LockBit claimed this week in an update to its attack on CDW that the company offered just $1.1 million of the total $80 million that was demanded of it.

It's generally understood that ransomware gangs will demand a fee of around 3 percent of whatever they calculate the target's annual revenue to be, though these calculations are sometimes based on wrong information and can be incorrectly inflated.

The location of Reichsadler Cybercrime Group's operation isn't known, though the ransom note set the payment deadline time to Moscow Standard Time. This could suggest a Russian operation or one in another country attempting to disguise their true location.

• Everest cybercriminals offer corporate insiders cold, hard cash for remote access
• US construction giant unearths concrete evidence of cyberattack
• Casino giant Caesars tells thousands: Yup, ransomware crooks stole your data
• Ransomwared health insurer wasn't using antivirus software

Sophos said it was able to stop the download of the ransomware payload after the attack triggered a rule designed to prevent a known intrusion tactic (MITRE ATT&CK technique T1071.001).

Patches for the eight vulnerabilities in WS_FTP were released on September 27 and Rapid7's researchers spotted the first wave of attacks exploiting the vulnerabilities three days later.

Evidence pointed to early mass exploitation attempts following the release of proof of concept (PoC) code just two days after the patches were made available, severely limiting the time in which affected organizations had to implement them.

The severity of the remote code execution bug, combined with the availability of the PoC code, prompted wide calls from the industry to apply the patches urgently.

Progress Software assigned it a maximum severity score of 10, while NIST's National Vulnerability Database assigned it a "high" CVSS score of 8.8. 

According to researchers at security company Assetnote, which was credited with the bug's discovery, telemetry showed around 2,900 hosts were running the file transfer software as of October 4. ®