A criminal stands behind a computer screen that is locked with ransomware.

Cl0p & LockBit  Ransomware Exploit Papercut Vulnerabilities – Microsoft 

Cl0p and LockBit ransomware activities have been linked by Microsoft to the recent attacks on PaperCut servers. The vulnerabilities were exploited to steal corporate data. 

The current increase in ransomware attacks poses a threat since PaperCut, a popular print management program, is a critical tool for many businesses. LockBit and Cl0p, two new types of ransomware, are growing as major threats to cybersecurity.

LockBit and Cl0p are computer programs that encrypt data on a victim’s system and demand a ransom payment to recover them. Victims must pay the attackers for the decryption key to gain access to their files.

These attackers demand money in exchange for restoring access to the encrypted data, making it an attractive option for cybercriminals. 

These complex types of ransomware are to blame for an increasing number of security breaches against businesses and organisations all over the world. As a result, organisations must take precautions to protect themselves against such risks.

The threat intelligence team of the IT company has linked part of the breaches to an individual who operates with a financial advantage. The hacker goes under the stage name Lace Tempest (formerly DEV-0950) and has linked to the organisations FIN11, TA505, and Evil Corp. The similarities between these organisations refer to significant and well-organised use of cyberattacks to execute their goals.

In a series of tweets, Microsoft said

In observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service.

After the initial attack, the attackers moved on to the next phase, which involved acquiring the Cobalt Strike Beacon. The device was used to execute reconnaissance, move laterally across the network using WMI, and exfiltrate specific data via the file-sharing service MegaSync.

Microsoft claims that the threat actor started using the PaperCut vulnerabilities (2023-27350 and CVE-2023-27351) in their attack arsenal on April 13. This result confirms the earlier conclusion reached by the Melbourne-based developer of print management software.

The Cl0p ransomware group claimed to oversee the attacks on PaperCut systems, which they then started taking advantage of. However, they claimed that rather than stealing data directly from the server, they used the vulnerabilities to get access to networks. 

An Attractive Target for Cl0p Ransomware 

The Cl0p ransomware group has used the same strategy to attack PaperCut servers for the past three years. The Cl0p ransomware still encrypts files during attacks but prefers to blackmail them into paying a ransom by stealing data.

The well-known print management programme PaperCut is compatible with the most well-known printer brands and operating systems, and it can snoop on print tasks in a print queue. The government, big businesses, and educational institutions all use it often. 

Therefore, a PaperCut vulnerability that is not patched, especially if it’s a simple one to exploit, could present an opportunity for ransomware attackers, making anyone who has an unpatched server a prime target. . 

Currently, 1,800 PaperCut servers are reachable via the Internet. According to Microsoft, Lace Tempest distributed a TrueBot DLL using many PowerShell commands in the attacks they have seen.

As it attempted to obtain LSASS credentials, the TrueBot DLL created a connection with a C2 server. The conhost.exe service was successfully compromised by injecting the TrueBot payload. One method Microsoft confirmed a ransomware attack against them was by doing this. 


Microsoft advises businesses to use cybersecurity best practises, make sure their systems are patched with the most recent security patches, and upgrade their PaperCut software to the most recent version.

Microsoft has taken several steps to reduce the attack on the PaperCut servers and stop such attacks in the future. They detailed their response to the attack in several tweets.

Microsoft has created a more comprehensive strategy to tackle the issue, working with partners to enhance defences across the ecosystem and sharing knowledge to help clients in hardening their networks against this threat. 

The ransomware attack on the PaperCut servers serves as a reminder of the value of consistent software upgrades and the requirement for strong security measures. 

Phishing Tackle offers a free 14-day trial to help train your users to avoid these types of attacks and test their knowledge with simulated attacks using various attack vectors. By focusing on training your users to spot these types of attacks, rather than relying solely on technology (none of which can spot 100% of phishing emails), you can ensure that your organisation is better prepared to defend against cyber threats and minimise the impact of any successful attacks. 

Recent posts