In a statement published today, Microsoft has rebuffed rumors that its Microsoft Teams communication and collaboration platform is being used by cyber-criminal gangs to plant ransomware on enterprise networks.
Like all rumors, its origin is unknown, but this rumor began circulating online in early November after several companies across Spain were infected with ransomware. The rumor that Microsoft Teams was the infection point for the attacks was put forward online by Twitter accounts not involved in the official investigation, and was taken at face value by various Spanish news outlets, helping it gain more momentum, without any merit.
"Microsoft has been investigating recent attacks by malicious actors using the Dopplepaymer ransomware," said Simon Pope, Director of Incident Response at the Microsoft Security Response Center (MSRC).
"There is misleading information circulating about Microsoft Teams, along with references to RDP (BlueKeep), as ways in which this malware spreads," Pope added.
"Our security research teams have investigated and found no evidence to support these claims," the Microsoft exec said. "In our investigations we found that the malware relies on remote human operators using existing Domain Admin credentials to spread across an enterprise network."
Pope is referring here to a tactic where ransomware gangs gain access to one computer on a company's internal network through various methods, extract credentials for the local domain admin, and spread laterally to more computers, encrypting their data along the way.
Besides rejecting rumors that somehow Microsoft Teams was involved in the recent attacks, Pope also addressed a second set of rumors that has also been going around on social media and some tech news sites.
These second rumors claimed that cyber-criminals might have used the BlueKeep RDP vulnerability to install the DoppelPaymer ransomware, also in reference to the same attacks detected across Spain, and subsequent ones, such as those that hit Mexican state oil company PEMEX.
This is a first-of-its-kind move from the company. Microsoft has never until today issued such a stern statement to correct (such blatantly false) online rumors.
In hindsight, both rumors should have never caught on as they did, with some being repeated in some news media articles, and could have been easily disproved.
First, the DoppelPaymer ransomware is a version of the BitPaymer ransomware, and, historically, has been exclusively distributed via the Dridex botnet or the Emotet botnets (or both).
Computers infected with either the Dridex or Emotet malware are in some cases used to provide ransomware gangs with manual access to companies' internal networks. Here, as Pope explained above, attackers extract credentials for the company's internal network to spread laterally to other systems and then install DoppelPaymer on as many systems as they can.
Second, all the attacks were the BlueKeep vulnerability was deployed had the end goal of installing a cryptocurrency miner, something that was made clear by the two researchers who spotted and investigated the initial BlueKeep attacks [1, 2], and even Microsoft itself.
There has yet to be a publicly documented case where BlueKeep has been used to install ransomware.
As security researcher Kevin Beaumont and Rapid7 Chief Data Scientist Bob Rudis have said on many occasions, most of the malicious RDP traffic today is RDP brute-force attacks -- where attackers try to guess the RDP connection password-- rather than BlueKeep-related exploitation traffic.