Cyber criminals exploit Windows PrintNightmare vulnerabilities to infect their victims with ransomware. The vulnerabilities (CVE-2021-34527 and CVE-2021-1675) in Windows Print Spooler – a service that is enabled by default in all Windows clients and used to copy data between devices to manage print jobs – allow attackers to execute arbitrary code. Hackers can install programs, modify, change and delete data, create new accounts with full user rights and move freely in the network.
One of the attackers is Vice Society, a relatively new player in the ransomware space that only emerged in June. Vice Society is known for being quick to exploit new security vulnerabilities. According to Cisco Talos cybersecurity researchers, they have added PrintNightmare to their arsenal of network compromise tools.
Like many cybercriminal ransomware groups, Vice Society relies on double blackmail: they encrypt and steal data from victims and threaten to publish it if the ransom is not paid. According to Cisco Talos, the group has primarily focused on small and medium-sized organizations, particularly schools and other educational institutions.
Another ransomware group that is actively exploiting the PrintNightmare vulnerabilities is Magniber. It has been active since 2017 and regularly introduces new functions and attack methods. Magniber first used malvertising to spread attacks before they went on to exploit unpatched vulnerabilities in software such as Internet Explorer and Flash. Most Magniber campaigns target South Korea.