Microsoft has found that six different Iranian hacker groups are behind new waves of ransomware attacks that have been identified every six to eight weeks since the fall of 2020. The Iranian hackers are allegedly deploying ransomware to disrupt targets or to collect funds. Microsoft stated that the hacking groups are persistent and engaging, but will also use aggressive brute-force attacks to achieve their goals. Microsoft reported that the most consistent of the groups tracked by the cybersecurity firm is called Phosphorus or APT35. Microsoft has been tracking the group for the past two years. Phosphorus was initially known for cyber espionage, however, the group has shifted towards ransomware attacks using Microsoft’s Windows disk-encryption tool BitLocker to encrypt victim files.

Phosphorus was also seen targeting unpatched on-premise Exchange servers to deploy ransomware. Phosphorus started scanning four flaws in Exchange servers referred to as ProxyShell that were initially exploited as zero-days by other hackers. Microsoft released patches for the vulnerabilities in April.

Read More: Now Iran’s state-backed hackers are turning to ransomware