Ransomware: Now attackers are exploiting Windows PrintNightmare vulnerabilities

Cyber-criminal groups including Vice Society and Magniber have been spotted using vulnerabilities in Windows Print Spooler to infect victims with ransomware.

Why ransomware is a big cybersecurity problem and what needs to be done to stop it

Cyber criminals are exploiting Windows PrintNightmare vulnerabilities in their attempts to infect victims with ransomware – and the number of ransomware groups attempting to take advantage of unpatched networks is likely to grow.

The remote code execution vulnerabilities (CVE-2021-34527 and  CVE-2021-1675) in Windows Print Spooler – a service enabled by default in all Windows clients and used to copy data between devices to manage printing jobs – allow attackers to run arbitrary code, enabling them to install programs, modify, change and delete data, create new accounts with full user rights and move laterally around networks. 

Now ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key. 

SEE: A winning strategy for cybersecurity (ZDNet special report) 

One of them is Vice Society, a relatively new player in the ransomware space that first appeared in June and conducts hands-on, human-operated campaigns against targets. Vice Society is known to be quick to exploit new security vulnerabilities to help ransomware attacks and, according to cybersecurity researchers at Cisco Talos, they've added PrintNightmare to their arsenal of tools for compromising networks. 

Like many cyber-criminal ransomware groups, Vice Society uses double extortion attacks, stealing data from victims and threatening to publish it if the ransom isn't paid. According to Cisco Talos, the group has mostly focused on small and midsize victims, notably schools and other educational institutions

The ubiquitous nature of Windows systems in these environments means Vice Society can utilize PrintNightmare vulnerabilities if patches haven't been applied, to execute code, maintain persistence on networks and deliver ransomware.  

"The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks," Cisco Talos researchers wrote in a blog post

"Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective". 

Another ransomware group actively exploiting the PrintNightmare vulnerabilities is Magniber. This ransomware operation has been active and introducing new features and attack methods since 2017. Magniber initially used malvertising to spread attacks, before moving onto taking advantage of unpatched security vulnerabilities in software including Internet Explorer and Flash. The majority of Magniber campaigns target South Korea.  

Now, according to cybersecurity researchers at Crowdstrike, Magniber ransomware is using PrintNightmare in campaigns, again demonstrating how ransomware gangs and other cyber-criminal groups try to take advantage of newly disclosed vulnerabilities to aid attacks before network operators have applied the patch.  

SEE: This new phishing attack is 'sneakier than usual', Microsoft warns

It's likely that other ransomware groups and malicious hacking campaigns will look to exploit PrintNightmare, so the best form of defence against the vulnerability is to ensure systems are patched as soon as possible.  

"CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors," said Liviu Arsene, director of threat research and reporting at Crowdstrike. 

"We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries," he added. 

MORE ON CYBERSECURITY