Ransomware attacks have targeted unpatched versions of WS_FTP Server software , a widely used file transfer product by large enterprises, including government and educational organizations .
These attacks exploit a critical flaw in the Ad Hoc Transfer module, specifically a .NET deserialization vulnerability . This vulnerability allows threat actors to remotely execute code and take control of systems. The attacks have been attributed to the Reichsadler Cybercrime Group, who are demanding $500 worth of Bitcoin from their targets.
It is worth noting that the vulnerability appears to be 15 years old and may affect other software using the same library . It is unclear if the vulnerability was being exploited prior to the release of a fix in September. Despite the fix being available, nearly 2,000 servers running WS_FTP with exposed web servers have been identified as still vulnerable .
The attackers attempted to use a stolen LockBit 3.0 builder for their ransomware attack. Additionally, they tried to escalate privileges using the open-source GodPotato tool , but were unsuccessful. Fortunately, Sophos X-Ops managed to stop the attack with their security measures  .
However, industries that rely on WS_FTP software for file transfers , particularly the medical sector , are still at risk. Delays in accessing records could impact patient care . To enhance their defenses and gain insight into this threat  , organizations can refer to the indicators of compromise (IOCs) available on Sophos X-Ops’ GitHub page.
It is essential for organizations to have a plan in place to mitigate and patch vulnerabilities in critical and exposed services. Progress Software has released a security advisory detailing fixes for eight vulnerabilities , two of which are critical . These vulnerabilities enable threat actors to carry out malicious activities , including remote code execution . Customers are urged to update their WS_FTP Server instances to protect against these attacks.
The ransomware attacks targeting unpatched versions of WSFTP Server software pose a significant threat to large enterprises, including government and educational organizations . The Reichsadler Cybercrime Group is exploiting a critical flaw in the Ad Hoc Transfer module, allowing them to remotely execute code and take control of systems. Despite a fix being available, many servers remain vulnerable  . Industries  , especially the medical sector , are at risk, with potential delays in accessing records impacting patient care . Organizations should refer to the indicators of compromise (IOCs) provided by Sophos X-Ops to enhance their defenses. It is crucial for organizations to have a plan in place to mitigate and patch vulnerabilities in critical and exposed services. Progress Software has released a security advisory with fixes for eight vulnerabilities, urging customers to update their WSFTP Server instances to protect against these attacks.