Ransomware operators try to exploit the WS_FTP bug


Attackers are trying to exploit yet another Progress Software product as class action lawsuits over the company’s MOVEit Transfer product pile up.

Attackers are already trying to exploit a bug in Progress Software’s WS_FTP Server secure file transfer software with the intention of deploying ransomware, researchers at cybersecurity firm Sophos have found.

The vulnerability was assigned the highest possible severity code in late September. The Cybernews research team believes that attackers could leverage the exploit to carry out remote code execution (RCE) attacks, deploying malicious code on target devices.

ADVERTISEMENT

While there were reports that attackers tried to exploit the bug before, there were no confirmed instances of a ransomware attempt.

“Even though Progress Software released a fix for this vulnerability in September 2023, not all of the servers have been patched. Sophos X-Ops observed unsuccessful attempts to deploy ransomware through the unpatched services,” researchers said.

The attackers developed the ransomware used in the attack by compiling it from a leaked version of the infamous Lockbit 3.0 ransomware source code.

A ransomware note reveals that the gang calls themselves Reichsadler Cybercrime Group. While reichsadler simply means “imperial eagle” in German, the one depicted in the ransomware note resembles the insignia used in Nazi Germany.

The ransomware demand in the note falls short of the millions of dollars that large cartels typically demand, with the group asking their victim to pay just $500.

Progress Software’s MOVEit woes

The latest vulnerability in WS_FTP Server comes at a troubling time for Progress Software. Earlier this year, the Cl0p ransomware cartel exploited a zero-day bug in the company’s MOVEit Transfer software.

According to researchers at Emsisoft, over 2,500 organizations – mainly in the US – and nearly 65 million individuals have been impacted by MOVEit attacks by the Russia-linked ransomware cartel.

ADVERTISEMENT

Taking IBM’s estimate, which puts the cost of an average data breach at $165 per leaked record, the impact of Cl0p attacks would add up to a staggering $10.7 billion.

Progress Software told the Securities Exchange Commission that, as of now, the company is a “party to 58 class action lawsuits filed by individuals who claim to have been impacted by the exfiltration of data from the environments of our MOVEit Transfer customers.”

However, the company said MOVEit Transfer and MOVEit Cloud services represented “less than 4%” of Progress Software’s revenue, hinting that the company will likely be able to ride out the storm.

That said, the company has already incurred $1 million of costs related to the MOVEit vulnerability and expects the ordeal to negatively impact its future performance and financial results.

“Customer confidence in Progress may also be impacted by the MOVEit Vulnerability. Through our response speed and transparent communications, we are committed to, and actively engaged in, activities to restore any loss in customer confidence. However, we currently cannot predict the length or extent of any ongoing impact to sales,” Progress said.