Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers
Image: Nathan Dumlao
Catalin Cimpanu December 3, 2021

Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers

Germany warns of ransomware attacks over Christmas, citing Emotet return, unpatched Exchange servers

The German cybersecurity authority has told German organizations to expect ransomware and other cyber-attacks over the Christmas and end-of-year holidays, citing the return of the Emotet botnet and the large number of Microsoft Exchange email servers that have been left unpatched.

The Emotet gang, which began rebuilding its botnet two weeks ago, has often rented access to infected systems to ransomware gangs to serve as springboards for attacks.

Numerous vulnerabilities discovered in Microsoft Exchange email servers this year have been abused throughout 2021 to allow ransomware gangs—such as DearCryBlackKingdomBabuk, and BlackByte—to enter corporate networks and encrypt internal servers.

Hackers prefer major holidays for attacks

“Holidays, vacation times and weekends in particular have been used repeatedly for such attacks in the past, as many companies and organizations are less responsive then,” BSI President, Arne Schönbohm, said on Thursday, urging companies to patch systems and take steps to block Emotet spam.

The BSI warning comes on the heels of a similar alert sent by US CISA last week, ahead of the Thanksgiving weekend.

Attacks over major holidays have become commonplace in recent years, as criminal gangs have realized that IT and security teams are typically off duty or working in reduced capacities.

For example, hackers began exploiting a zero-day in the Accellion file-sharing server just ahead of the 2020 Christmas holiday. Even if the vendor released a patch, most companies didn’t get to install it until the next year, as IT teams were off or delayed installing it to have more time to test and review the code.

Three-quarters of Exchange servers still unpatched

Things are particularly bad this year in terms of the possibility of a major ransomware outbreak due to the high number of critical Exchange vulnerabilities disclosed in 2021, such as ProxyShell, ProxyLogon, ProxyOracle, and so on.

Numbers crunched by security firm Rapid7 in October showed that out of 306,552 Exchange servers connected to the internet, 222,145 (72.4%) were vulnerable to at least one major vulnerability.

Germany is particularly impacted by Exchange vulnerabilities due to the large number of servers deployed inside government agencies and the private sector, second only to the US in terms of Exchange servers, per security firm ESET.

With ransomware gangs leveraging Exchange servers as entry points being spotted as recently as last week, the chances are that some groups will take advantage of the upcoming winter holidays to leave some unwanted gifts under the trees of German companies.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.