https://www.group-ib.com/blog/estate-ransomware
A new ransomware gang, EstateRansomware, is exploiting a critical vulnerability (CVE-2023-27532) in Veeam backup software to deploy ransomware and extort victims. This vulnerability was patched over a year ago, in March 2023, but many users have failed to install the update.
The flaw allows attackers to gain access to a Veeam system and potentially the entire backup infrastructure. EstateRansomware typically gains initial access through brute-force attacks against a vulnerable Fortinet firewall and then uses stolen credentials to move laterally within the network.
Security researchers believe the attackers then exploit the unpatched Veeam system to deploy a backdoor and gain further access to the victim’s environment. Once they have a foothold, they can steal additional credentials and disable antivirus software before deploying LockBit ransomware to encrypt critical data.
This incident highlights the importance of timely patching. Organizations should prioritize applying security updates as soon as they become available to avoid falling victim to known vulnerabilities.