The new development came as researchers at security firm DomainTools challenged the claim by many a media outlet that a Chinese group, which has been christened Hafnium by Microsoft, was a state-directed group exploiting the four flaws.
? #Exchange Servers Possibly Hit With #Ransomware ?— Michael Gillespie (@demonslay335) March 11, 2021
ID Ransomware is getting sudden swarm of submissions with ".CRYPT" and filemarker "DEARCRY!" coming from IPs of Exchange servers from US, CA, AU on quick look. pic.twitter.com/wPCu2v6kVl
Michael Gillespie, the researcher who runs the ransomware identification service ID Ransomware, spotted a number of submissions to the service with .crypt and a filemarker DearCry, and alerted his Twitter followers to this on Friday.
Gillespie said the submissions from Exchange servers which had US, Canadian and Australian IP addresses.
Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel— Phillip Misner (@phillip_misner) March 12, 2021
Patches were issued for the four Exchange Server vulnerabilities a week ahead of the regular patch Tuesday in March.
The DomainTools researchers observed that Microsoft's claim did not make it clear whether Hafnium was a Chinese state-directed operation.
"Initial reporting from Microsoft noted that HAFNIUM is 'state-sponsored and operating out of China, based on observed victimology, tactics and procedures'," they wrote.
"While the statement notes operations out of China and that the entity is assessed to be 'state-sponsored', the sentence as constructed does not explicitly make the claim that Hafnium is a Chinese state-directed operation.
"Yet despite the very careful wording in Microsoft’s blog, multiple media reports quickly made the direct link to China. While such a link is certainly possible and has not been ruled out, as of this writing no conclusive evidence has emerged linking Hafnium operations to the People’s Republic of China."