Multiple ransomware gangs pounce on ‘PrintNightmare’ vulnerability

For the second time in a week, security researchers have warned that extortionists exploited the critical flaw.
(Photo by John Smith/VIEWpress/Getty Images)

The so-called PrintNightmare vulnerability in Microsoft software is turning into a dream for ransomware gangs.

For the second time this week, security researchers have warned that extortionists exploited the critical flaw in an attempt to lock files and shake down victims. It shows how, more than a month after Microsoft disclosed the bug and urged users to update their software, a new round of exploitation is under way against vulnerable organizations.

A ransomware group dubbed Vice Society recently seized on the PrintNightmare bug to move through an unnamed victim’s network and attempt to steal sensitive data, Talos, Cisco’s threat intelligence unit, said Thursday. A day earlier, cybersecurity firm CrowdStrike said that hackers using another type of ransomware had tried to use PrintNightmare to infect victims in South Korea. Neither Talos nor CrowdStrike named the targeted organizations.

The PrintNightmare vulnerability affects how Windows’ Print Spooler manages interactions between computers and printers. The severity of the vulnerability forced Microsoft to change the default settings on the software to make them more secure. Given how ubiquitous the software is in corporate environments, the remote code execution flaw is a boon for ransomware gangs.


“PrintNightmare has been useful to ransomware groups because, despite Microsoft advising against it, many organizations use their Active Directory controller as a print server and AD access is critical to most modern ransomware attacks,” said Allan Liska, an intelligence analyst at the threat intelligence company Recorded Future.

Vice Society, which emerged earlier this year, has previously claimed responsibility for ransomware attacks on school districts and health care systems, including an incident in May that hindered non-urgent care at multiple hospitals in New Zealand. The Magniber ransomware used in the incident flagged by CrowdStrike has been around since 2017 and has typically featured in intrusions in the Asia Pacific.

The PrintNightmare situation mirrors that of another set of critical bugs in Microsoft Exchange Server software revealed in March.

In both cases, a dire vulnerability was revealed, some organizations were slow to patch their software despite exploit code being publicly available and eventually ransomware gangs pounced on the bugs. And in both cases, the U.S. Cybersecurity and Infrastructure Security Agency issued emergency directives requiring civilian agencies to update their software because of the “unacceptable risk” the vulnerabilities posed to federal networks.

“Multiple, distinct threat actors view this vulnerability as attractive to use during their attacks,” Talos researchers said, meaning that the vulnerability could “continue to see more widespread adoption and incorporation by various adversaries moving forward.”

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts