Microsoft Admits PaperCut Servers Used In LockBit and Cl0p Ransomware

By   Olivia William
Writer , Information Security Buzz | Apr 27, 2023 05:53 am PST

Businesses and organizations of all kinds are increasingly concerned about ransomware attacks, and recent information from Microsoft reveals that even well-liked software applications can be exposed to attack.  Microsoft recently acknowledged that the PaperCut servers were utilized to distribute the LockBit and Cl0p ransomware. 

The news is worrying because many firms rely on PaperCut, which is a commonly used print management program. Two new ransomware strains, LockBit and Cl0p, have recently become serious threats to cybersecurity.  These very sophisticated ransomware variations are behind an increasing number of threats to businesses and organizations worldwide. 

Both LockBit and Cl0p are examples of ransomware, which is computer software that encrypts files on a victim’s computer system and demands payment to decrypt them. When the victim requests the decryption key to recover access to their files, the attackers demand cash in exchange for it.

For enterprises and organizations, LockBit and Cl0p ransomware can have severe effects. In addition to the monetary expense of paying the ransom, victims can also experience harm to their reputations and a decline in customer confidence. Significant downtime caused by the assaults may also have a negative impact.

Microsoft Discovered PaperCut Servers Used In Ransomware Attacks

Security experts identified a serious PaperCut MF bug in late April 2023 that had been used by criminals to spread the Clop ransomware.  The vulnerability in PaperCut’s handling of printer driver files gave hackers access to the vulnerable system and let them run arbitrary code.

The Clop ransomware assault, which affected hundreds of firms globally and cost millions of dollars in damages, was particularly catastrophic. For the decryption key that would open the encrypted files, the attackers wanted a ransom.

Let’s get a bit more technical. 

According to Microsoft, the recent attacks that leveraged CVE-2023-27350 and CVE-2023-27351 vulnerabilities in PaperCut print management software to distribute Clop ransomware have been attributed to Lace Tempest (also known as DEV-0950), a threat actor that overlaps with FIN11 and TA505.

Lace Tempest has a history of using GoAnywhere exploits and Raspberry Robin infection hand-offs in previous ransomware campaigns. They incorporated the PaperCut exploits into their attacks as early as April 13.

Since PaperCut’s acknowledgment of in-the-wild attacks, cybersecurity firm Huntress claimed to have seen hackers take advantage of the flaws to backdoor vulnerable systems with the legitimate remote management programs Atera and Syncro. 

According to Huntress, there are 1,800 PaperCut servers that are accessible via the Internet. Microsoft reported via a series of tweets that in the attacks that they observed, Lace Tempest utilized several PowerShell commands to distribute a TrueBot DLL. 

The DLL connected to a C2 server and attempted to steal LSASS credentials, ultimately injecting the TrueBot payload into the conhost.exe service. This is one of the ways Microsoft confirmed that they have been attacked by ransomware.

PaperCut: A Print Management Software

PaperCut is a printing utilization software that allows organizations to manage and control their printing activities. It offers capabilities like print tracking, cost accounting, and print policy enforcement that assists enterprises in making the most use of their printing assets and minimizing expenses. 

The software can be installed on Windows, Mac, Linux, and Novell servers and is compatible with many kinds of printers, copiers, and scanners. PaperCut is a widely known print management program because it offers a full range of functions for controlling printing operations. 

It is simple to deploy and operate, and it can be tailored to a particular organization’s requirements. It is a flexible solution for managing printing resources.

How Microsoft is Mitigating the Cyber Attack

Microsoft closely collaborated with PaperCut to resolve the flaws and then issued a security update to fix the vulnerable programs. 

Microsoft also encouraged businesses to update their PaperCut software to the most recent version, make sure their systems are patched with the most recent security updates, and adhere to cybersecurity best practices.

The ransomware attack on the PaperCut servers serves as a reminder of the significance of routine software updates and the demand for effective cybersecurity measures. 

Additionally, it emphasizes how crucial it is for software makers and security researchers to work together to quickly find and fix vulnerabilities in order to stop customer threats.

To lessen the harm caused by the attacks on the PaperCut servers and stop similar attacks from happening in the future, Microsoft implemented a number of actions. They published several tweets describing how they would respond to the attack. 

Microsoft has adopted a more comprehensive strategy to deal with the problem, working with its partners to fortify defenses throughout the ecosystem and exchanging knowledge to assist clients in fortifying their networks against this danger. 

To stop future attacks, they underlined the value of routine software upgrades, appropriate security configurations, and personnel training.

Microsoft’s reaction to the incident illustrates both their dedication to safeguarding their clients from cyber threats and their readiness to collaborate with other companies in the sector to enhance cybersecurity generally.


Microsoft has confirmed that a recent ransomware assault that distributed the LockBit and Cl0p variants exploited PaperCut servers. Popular print management software PaperCut was the target of the attack, which serves as a reminder that even widely known software programs can be exploited. The attackers were successful in taking advantage of weaknesses in the PaperCut servers that Microsoft found during its study.  Although the effect of the attack on Microsoft’s customers is presently unknown, many were probably impacted.

Microsoft has responded to the attack by taking action to lessen the harm and stop similar attacks from happening in the future. In addition, PaperCut has acknowledged the weakness and responded to the assault. The attack’s broader effects on the cybersecurity sector are quite important. Attacks by ransomware are growing more regular and sophisticated, harming businesses and organizations’ finances and reputations severely. theIt is vital that all parties concerned take proactive steps to defend themselves against such assaults, such as putting in place strong security standards, updating their software solutions frequently, and funding employee cybersecurity training.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x