The Microsoft Exchange attacks using the ProxyLogon vulnerability, and previously associated with the dropping of malicious web shells, are taking on a ransomware twist. Until now, the name of the game has been compromise and data exfiltration, with a bit of cryptomining on the side.
To summarise: In ten days we’ve gone from “limited and targeted attacks” by a nation-state actor, to countless attacks by a number of groups against anyone with a vulnerable server. And in the space of a week the severity has escalated from unused web shells to ransomware. Depending on how the uptake in patching goes, this could well evolve again.