The cybersecurity landscape took another worrying turn on April 27, 2023, as Microsoft officially confirmed that threat actors are actively exploiting vulnerabilities in PaperCut print management servers to deploy both LockBit and Cl0p ransomware payloads. The revelation underscores a persistent and growing trend: ransomware operators continue to weaponize unpatched enterprise software at an alarming pace, and organizations in the cryptocurrency space are far from immune.
The Exploit Mechanics
The PaperCut vulnerability, tracked as CVE-2023-27350, carries a critical severity rating and enables remote code execution on affected servers without requiring authentication. Security researchers first disclosed the flaw in late March 2023, but exploitation activity surged dramatically throughout April. Microsofts threat intelligence team confirmed that multiple ransomware affiliates began chaining this vulnerability with post-exploitation tools to move laterally within compromised networks, ultimately encrypting files and demanding ransom payments in Bitcoin and other cryptocurrencies.
The attack chain typically begins with the threat actor scanning the internet for exposed PaperCut servers running vulnerable versions. Once access is obtained through the unauthenticated RCE flaw, attackers deploy web shells and other persistence mechanisms. From there, they conduct network reconnaissance, harvest credentials, and identify high-value targets before deploying the ransomware encryptor. The entire process can unfold within hours, leaving defenders with little time to respond.
Affected Systems
PaperCut MF and PaperCut NG servers running versions prior to 20.1.7 are confirmed as vulnerable. Organizations across education, healthcare, government, and finance sectors have been identified as primary targets. In the cryptocurrency ecosystem, exchanges and blockchain companies that rely on enterprise print management for compliance documentation and internal operations could similarly be exposed if running vulnerable instances.
Microsofts analysis indicates that at least two distinct ransomware operations have adopted this exploit vector. LockBit, one of the most prolific ransomware-as-a-service operations, and Cl0p, the group behind several high-profile data theft campaigns in 2023, are both leveraging PaperCut flaws. Both groups are known to demand cryptocurrency payments, typically in Bitcoin or Monero, making this particularly relevant for the digital asset community.
The Mitigation Strategy
PaperCut has released patches addressing CVE-2023-27350, and organizations are strongly urged to update to version 20.1.7 or later immediately. For environments where immediate patching is not feasible, PaperCut has published workaround guidance including disabling the “print and script” functionality accessible without authentication. Network segmentation should be applied to isolate print management servers from critical infrastructure.
For cryptocurrency businesses specifically, the incident reinforces the need for comprehensive vulnerability management programs that extend beyond core trading and wallet infrastructure. Any internet-facing service, regardless of its perceived importance, can become an initial access vector for sophisticated threat actors.
Lessons Learned
This PaperCut exploitation campaign offers several critical takeaways for the cryptocurrency and broader technology community. First, ransomware groups continue to demonstrate remarkable agility in adopting newly disclosed vulnerabilities. The window between public disclosure and mass exploitation has compressed to days rather than weeks. Second, peripheral infrastructure components like print management, VPN appliances, and remote desktop gateways remain popular targets precisely because they often receive less security attention than core systems.
Third, the involvement of both LockBit and Cl0p illustrates the affiliate-driven nature of modern ransomware operations. Initial access brokers specialize in finding and exploiting vulnerabilities, then sell that access to multiple ransomware operators simultaneously, amplifying the damage potential from a single unpatched system.
User Action Required
If your organization runs PaperCut MF or PaperCut NG, check your version immediately and apply the available security patches. Review network logs for any unusual administrative activity on print servers dating back to mid-March 2023. Ensure that multi-factor authentication is enabled on all administrative accounts and that network segmentation limits lateral movement from compromised edge services. For cryptocurrency platforms, extend your vulnerability scanning to cover all third-party enterprise software, not just blockchain-specific components.
Disclaimer: This article is for informational purposes only and does not constitute professional cybersecurity advice. Always consult with qualified security professionals for your specific situation.
CVE-2023-27350 on PaperCut was CVSS 9.8 and people still hadnt patched weeks after disclosure. inexcusable for any org holding crypto
LockBit and Cl0p both pivoting to crypto-org targets through enterprise software vulns is a trend that will only accelerate. Print servers are just the start.
we found PaperCut exposed on 3 of our client servers last month. unauthenticated RCE on a print management tool is wild
the lateral movement after initial access is the real problem. print server gets owned, then domain admin within hours. crypto wallets on same network are gone
print server to domain admin in under 4 hours is a common pentest finding. orgs running crypto nodes on corporate networks are basically asking for it
print server to domain admin in 4 hours is generous. some pentest reports show under 90 minutes with lockbit tooling
the lateral move is where detection should catch it. if your print server starts spawning powershell you have bigger problems than PaperCut
3 servers is nothing. Shodan showed over 100k exposed PaperCut instances when CVE-2023-27350 dropped. the attack surface is way bigger than most people realize