Skip to main content
Cyber News

Ransomware groups exploiting Windows PrintNightmare to launch attacks

By August 26, 2021June 9th, 2022No Comments

Cybercriminals using the PrintNightmware vulnerability are growing by the day, with groups such as Magniber and Vice Society becoming the latest ransomware gangs to join in on the attack.

What is PrintNightMare?

 Discovered almost two months ago by researchers at QiAnXin, PrintNightmare is a vulnerability exclusive to Microsoft Windows Spooler Service and allows cyber attackers to gain complete control of affected systems. It allows cybercriminals to run DLLs into a remote Windows host with full privileges of an administrator.

After its discovery, cybersecurity experts were quick to sound the alarm about what future ransomware attacks would look like. Last month, Lucas Gates, Senior Vice President at Kroll, warned that PrintNightmware would become a hot new target for ransomware groups. He cautioned organizations running Microsoft OS to disable print systems on all their systems, noting that patches released by Microsoft had failed to fully address the problem.

Cyber Criminals adoption of PrintNightmware vulnerability

Cybercriminals are using two remote code execution vulnerabilities (CVE-2021-34527 and CVE-2021-1675) in Windows Print Spooler to launch a ransomware attack.

A Print Spooler is a service that is enabled by default in all Windows clients and is used to manage printing jobs in a network and copying of data between devices. It achieves this by sending jobs to the printer, temporarily storing data in a buffer, and initiating the printing job based on priority.

The PrintNightmare vulnerability in the Print Spooler allows cybercriminals to run arbitrary code capable of installing programs, modifying data, changing and deleting files. Attackers can also create new user accounts with full administrative privileges and move around the network without getting detected.

With the realization of the opportunities the PrintNightmare present, ransomware gangs are taking advantage of the Print Spooler vulnerability and launching ransomware attacks.

Vice Society ransomware gang

Vice Society is among the newest ransomware gangs that are now using the Microsoft PrintNightmare vulnerability to launch ransomware attacks. Known for their hands-on, human-operated campaigns against their victims, the group has only existed for a few months and has already added the PrintNightmware to their arsenal of attack tools.

Like any other ransomware group, the group is using the vulnerability to launch double extortion attacks, whereby they start by stealing victims’ data and then encrypting computer systems. After a successful ransomware attack, the group uses the stolen data to threaten their victims to send them money, failure to which, their data will be released to the public. The group also promises a decryption key to victims who pay the ransom.

Caution to veterinary practices

Vice society is exclusively targeting small and midsize victims, which most veterinary practices operate as. So far, they have mostly focused on public school districts and educational institutions as targets of their attacks.

However, they have shown willingness to attack firms and organizations that other ransomware groups ignore, and are also willing to take small amounts of money from their victims. Veterinary practices, which most operate as small and midsize practices, may become the next target of the ransomware group, and the PrintNightmware vulnerability may become their undoing.

Magniber ransomware group

The Magniber ransomware group is also using the PrintNightmare vulnerabilities to infect their victims. The group, which majorly targets victims from South Korea, was reported to have carried out successful PrintNightmware attacks by CrowdStrike, further indicating how ransomware gangs were exploiting the Microsoft Print Spooler vulnerability to launch ransomware attacks.

The group’s successful ransomware attack is likely being copied by other ransomware groups around the world, according to Liviu Arsene, director of threat research. He added that to avoid attacks from these groups, latest patches and security updates should be applied on computer systems and adhere to security best practices to increase their defenses against the attacks.

What next for veterinary practices?

The best protection available for now against printNightmare ransomware attacks from cybercriminal groups is patching your Microsoft Windows software with the latest security updates.

 So far, every successful attack has been due to security vulnerabilities of unpatched systems. Microsoft was quick to release security patches of Print Spooler vulnerabilities in June. However, cybercriminals know that a lot of organizations do not take their cybersecurity seriously, and hence many systems are still running on older Print Spooler which has vulnerabilities.

Veterinary practices can also disable their Print Spooler service and inbound remote printing through Group Policy. This will ensure that your Print Spooler is not accessible to cybercriminals. This solution, however, will limit your ability to use your printers efficiently, therefore, it should only be used as a temporary solution.