WServerNews: When Exchange gets hit by ransomware

In this issue

True Crime: Exchange ransomware attack! Cybersecurity for boardroom dummies. IaaS on the cheap. Office comes down from the cloud. When you *really* don’t want to attend that meeting. Yes I *know* that legacy Edge is no longer supported! Factoid: Keep your desk(top) clean! Plus lots more — read it all, read it here on WServerNews!

Pay up, your business has been p0w3ned. Photo by Michael Geiger on Unsplash


Got questions? Ask our readers!

WServerNews goes out bimonthly to almost 200,000 IT pro subscribers worldwide! That’s a lot of expertise to tap into. Do you need help with some technical problem or are looking for expert advice on something IT-related? Ask Our Readers by emailing your problems and/or questions to us at [email protected]


Editor’s Corner

In our previous issue of WServerNews we talked about the attack underway against thousands (now probably hundreds of thousands) of Microsoft Exchange servers around the world. Since then one of our newsletter readers named Jerry who is a network engineer working in south-central USA succumbed to an attack against a fully-patched Exchange server he managed at the company he works for. The attacker then tried to extort money from him for unlocking the encrypted server. The network engineer and I exchanged several emails on the situation and we decided other WServerNews readers might benefit from hearing his story in full. So here goes, with some editor’s notes added in a couple of places:

True Crime: Exchange ransomware attack!

Mitch, I believe the second wave of exchange extortion is now coming.  I came in today and found that one of my exchange servers (with all of the Microsoft patches mind you) had been encrypted.  Here is what was at the root of the C drive. I think I’m going to go into the lawn mowing business.

[EDITOR: Below is a screenshot of the relevant portion of the hacker’s email that Jerry forwarded to me.]

[EDITOR: There are other recent reports out there of Black Kingdom ransomware infecting Exchange servers, see for example.]

[EDITOR: By the next day Jerry had investigated the problem further and sent me the following email.]

So here is what I have discovered thus far-

They encrypted all the login profiles to include the default profile- so no new accounts can login- the wankers!

-my solution was to copy a default profile from another server and overwrite the existing one- BINGO! I was able to login with admin privileges.  Just a start though so don’t get excited…

Discovered that I was able to send and receive mail from existing email accounts so I exported all of the email to PST- saved the mail- and the day! Yay

[EDITOR: Yay!]

Discovered that I was able to launch the ecp BUT could not access any functions- they errored out- IIS files were encrypted- not a big deal though I still got my mail out

[EDITOR: ecp = Exchange Control Panel for those wondering]

So at this point I as a IT person have a choice to make for the environments I manage…

1) Stand up another exchange server, do all of the configuration it will take, and import all of the saved mail- oh and don’t forget the HOURS of update downloads to go with just the server install let alone the exchange updates…


2) Go to Office 365 Exchange Online. Create the accounts, import the mail and be done…

Needless to say I chose option# 2.

Reason-  Microsoft has announced that they plan on charging on premise exchange servers a fee (EaaS) with their next releases.  It is in line with what I have been hearing about Windows as a Service (WaaS).  So it just made sense to me to go the Office 365 route.

[EDITOR: Wow, I hadn’t heard about this! Does anyone have a link from Microsoft with details of their announcement? Email me at [email protected]

Now for all of my fellow brethren out there-  I absolutely HATE Microsoft for what they have done and are doing to our industry.  I am an old school IT guy that likes to have control over the network environment.  I have tried for as long as I can to maintain that model- I have little issues with the customers and my networks “just run” as they should.  People want to come in on Monday morning, get their day going and start knocking out the To Do list items their boss gave them.  Very hard to do when your computer has decided to do a feature update automatically (even though you turned it off)  and now you are in an update boot loop with no option but to reimage the machine- GRRrrrr!

Side note- if you haven’t heard of Microsoft Windows 10 Enterprise LTSC- take a look at deploying that in your environment.  That’s what I have finally settled on and have much success with it.

[EDITOR: I ended by asking Jerry whether he didn’t have a clean backup he could restore Exchange from. He then replied:]

I forgot to mention that I didn’t use the restore from backups method because it seems that they don’t know EXACTLY when the exploit was discovered by the hackers so I didn’t want to restore an already compromised server.  As always, thanks, Mitch, for what you do.  There’s always lots of good info in your emails. –Jerry


Have any other readers experienced successful attacks against their Exchange servers? How are mitigation efforts going with applying the patches Microsoft has released? What have you heard about what’s happening with this whole story? Send your comments, thoughts or recommendations to us at [email protected]

Cybersecurity for boardroom dummies

While we’re on the subject of cybersecurity we wanted to tell our readers about a book by VigiTrust Founder & CEO Mathieu Gorge that can help corporate board members and C-suite types assess their company’s cybersecurity risks, plan an approach, and demonstrate compliance with regulation. The book has the catchy title “The Cyber Elephant in the Boardroom” and is available for Amazon Kindle:

IaaS on the cheap

Tired of paying for hosting virtual machines on Microsoft Azure? Microsoft MVP Thomas Maurer has some good suggestions that can save you money:

How to Reduce the Costs of your Azure IaaS VMs (Thomas Maurer)

For more spending control over cloud computing, check out ParkMyCloud:

Office comes down from the cloud

Yes Virginia, some businesses actually don’t want to pay subscription fees to use Microsoft Office in the cloud. Not everyone is enamored of Office 365 or Microsoft 365 or whatever they’re going to call it tomorrow. If this is you then the following news from CNET may be welcome to you:

New version of Microsoft Office won’t require you to pay for a subscription (CNET)


When you *really* don’t want to attend that meeting

And finally comes news about Microsoft’s latest app from their Garage. (Trying to emulate Bill and Dave is lame, guys, c’mon.) The app is called Group Transcribe and it’s designed to allow groups of people to capture collective meeting transcripts in real-time using their phones:

Microsoft’s latest Garage app is for recording group transcriptions (The Verge)

I can just see a tiny few privacy issues here when businesses are conducting meetings lol. But I’ll bet it gets used a lot (and misused).

Got comments about anything in this issue?

Email us at [email protected]!

Please tell others about WServerNews!

Enjoy this issue of WServerNews and feel free to send us feedback on any of the topics we’ve covered — we love hearing from our readers! And please tell others about WServerNews! It’s free and always will be free — and they can subscribe to it here. Thanks!!!


Tip of the Week

>> Got any IT pro tips you’d like to share with other readers of our newsletter? Email us at [email protected]

Yes I *know* that legacy Edge is no longer supported!

Are your users tired of the notification appearing saying that the legacy version of Microsoft Edge is no longer supported on their computers? This KB article has a fix:

KB5000788: Suppress the notification that Microsoft Edge Legacy support ended (Microsoft Support)


Admin Toolbox

>> Got any admin tools or software you’d like to recommend to our readers? Email us at [email protected]

Easy Window Switcher lets you switch between application instances, fast:

PeaZip is an archiver and file compressor that lets you extract 7Z CAB ISO RAR TAR ZIP archive files:

QTTabBar extends Explorer by tabs and extra folder views:


Factoid: Keep your desk(top) clean!

Our previous factoid and question didn’t generate much response so let’s move on to our next one:

Fact: Victoria University of Wellington accidentally deletes all files stored on desktop computers (NewsHub)


Question: Do you save actual files or folders (and not just shortcuts) on the Windows desktop on your PC or laptop? Why? Think it’s a good idea? Why or why not?

Email your answers to [email protected]


Subscribe to WServerNews!

Subscribe today to our WServerNews newsletter and join 200,000 other IT professionals around the world who receive our newsletter! Just go to this page and select WServerNews to receive our monthly newsletter in your inbox!


Conference Calendar 2021

>> Got an IT conference or event happening that you’d like to promote in our newsletter? Email us at [email protected]

NOTE: Conference dates and locations (real/virtual) are subject to change

Red Hat Summit — April 27-28 (virtual)

Black Hat Asia — May 4-7 (virtual)

RSA Conference — May 17-20 (virtual)

European SharePoint, Office 365 & Azure Conference — June 1-2 (virtual)

European Collaboration Summit — June 14-16 in Wiesbaden, Germany

Microsoft Inspire — July 14-15 (virtual)

Black Hat USA — Jul. 31-Aug. 3 in Las Vegas

Open Source Summit — Aug. 4-6 in Vancouver, Canada

DEF CON 29 — Aug. 5-8 (location TBA)

European Cloud Summit — Sept. 27-29 in Frankfurt, Germany

Open Source Summit — Sept. 29-Oct. 1 in Dublin, Ireland

VMworld — Oct 5-7 (virtual)

Black Hat Europe – Nov 8-11 (virtual)


Podcast Corner

Migrating to Azure SQL with Anna Hoffman (RunAsRadio)

Effective Technical Communication (Heavy Networking)

VMware vSAN 7 Update 2 (Virtually Speaking)

MS security licensing faces congressional scrutiny (Risky Business)

Happy Birthday Cloud Show (Microsoft Cloud Show)


New on

One-click mitigation tool for Exchange Server hack released by Microsoft

Despite the seriousness of the Exchange servers hack, there’s been a lack of patching. In response, Microsoft has released a one-click mitigation tool.

Importing PST files into an Exchange mailbox using PowerShell or Outlook

With many companies moving mail from on-premises servers to the cloud, let’s take a look at two methods of importing PST files.

Microsoft 365 or Office 2019: Make the right choice for you

Microsoft 365 or Office 2019 — which is better for you and which should you choose? Join us as we explore the answers in this article.

New way to enable multifactor authentication for Microsoft 365

The process of enabling multifactor authentication in Microsoft 365 has changed. Here’s what you need to do — and what you need to think about.

Multifactor authentication: Tips to tighten your security

Most know the importance of multifactor authentication, especially in these days of a remote workforce, yet many fail to enable it across platforms.


Fun videos from Flixxy

Speedriding Through an Alpine Resort

Combining skiing with paragliding, pro speedrider Valentin Delluc takes us on a wild flight over and through Avioraz – a ski resort in the French Alps.

People Are Awesome – Winter Edition

Awesome people snowboarding, skiing, ice skating, snow kayaking, wingsuit flying, snow kiting and pulling off other amazing tricks.

Swiss Magician Lionel Fools Penn & Teller

Swiss magician Lionel fools Penn & Teller producing a variety of drinks with only a simple milk carton .

British Humour – ‘Carry On Cleo’

A funny clip from the British comedy film ‘Carry On Cleo’ starring Amanda Barrie as Cleopatra and Sid James as Mark Antony.


More articles of interest

ITSM and DevOps don’t have to be at odds

Is it possible for ITSM and DevOps to coexist within the same organization? It is, but it raises plenty of questions about how and whether they are a good fit.

How to configure Remote Desktop in Windows Server 2008 R2 step by step

Learn how to install and configure Remote Desktop Services on Windows Server 2008 R2 to use Terminal Services and Remote Desktop Gateway Manager.

Level up with these advanced PowerShell commands to copy files

Take a closer look at Copy-Item cmdlet coding examples to build advanced PowerShell scripts that copy files with safety measures to ensure the duplicates reach their destinations.

Optimize a BCDR strategy for 2021 and beyond

COVID-19 has changed the way many organizations view BCDR. Along with an increased interest in resilience, a pandemic-proof BCDR plan is likely top of mind for 2021.


Send us your feedback!

Got feedback about anything in this issue of WServerNews? Email us at [email protected]

Scroll to Top