- Jun 26, 2021
- 265
- 177
- OS
- Windows 10
- BR
- Chrome 108.0.0.0
The Week in Ransomware - December 23rd 2022 - Targeting Microsoft Exchange
- December 23, 2022
- 03:51 PM
- 0

Reports this week illustrate how threat actors consider Microsoft Exchange as a prime target for gaining initial access to corporate networks to steal data and deploy ransomware.
CrowdStrike researchers reported this week that the Play ransomware operation utilized a new Microsoft Exchange attack dubbed 'OWASSRF' that chained exploits for CVE-2022-41082 and CVE-2022-41080 to gain initial access to corporate networks.
The ransomware operation then used this access to steal data and encrypt devices on the network.
As another example of Microsoft Exchange being heavily targeted by threat actors, ProDaft revealed this week that the FIN7 hacking group created an auto-attack platform called 'Checkmarks' that targets Microsoft Exchange.
This platform automatically scans for Exchange servers, exploits vulnerabilities to gain access, and then downloads data from the server.
FIN7 would then evaluate the company to determine if it was valuable enough to deploy ransomware.

Source: ProDaft
TrendMicro also confirmed this week our September report that a Conti cell known as Zeon rebranded to Royal Ransomware.
Other reports this week shed light on various ransomware operations:
- A report on how Reveton was the precursor to Ransomware-as-a-Service operations.
- A report on the Nokoyawa ransomware operation.
- Vice Society finally gets its own custom ransomware encryptor instead of relying on other operations' malware.
- A technical report on the Play ransomware, which has expanded its operations recently.