Cybercriminals are now using compromised Microsoft Exchange servers as a foothold to deploy a new ransomware family called DearCry, Microsoft has warned.
The ransomware is the latest threat to beleaguer vulnerable Exchange servers, emerging shortly after Microsoft issued emergency patches in early March for four Microsoft Exchange flaws. The flaws can be chained together to create a pre-authentication remote code execution (RCE) exploit – meaning that attackers can take over servers without knowing any valid account credentials.
The flaws give attackers the opportunity to install a webshell for further exploitation within the environment — and now, researchers say attackers are downloading the new ransomware strain (a.k.a. Ransom:Win32/DoejoCrypt.A) as part of their post-exploitation activity on unpatched servers.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft said on Twitter, Thursday.
DearCry Ransomware
DearCry first came onto the infosec space’s radar after ransomware expert Michael Gillespie on Thursday said he observed a “sudden swarm” of submissions to his ransomware identification website, ID-Ransomware.
The ransomware uses the extension “.CRYPT” when encrypting files, as well as a filemarker “DEARCRY!” in the string for each encrypted file.
Microsoft later confirmed that the ransomware was being launched by attackers using the four Microsoft Exchange vulnerabilities, known collectively as ProxyLogon, which are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
https://twitter.com/demonslay335/status/1370125343571509250
According to a report by BleepingComputer, the ransomware drops a ransom note (called ‘readme.txt’) after initially infecting the victim – which contains two email addresses for the threat actors and demands a ransom payment of $16,000.
Meanwhile, MalwareHunterTeam on Twitter said that victim companies of DearCry have been spotted in Australia, Austria, Canada, Denmark and the U.S. On Twitter, MalwareHunterTeam said the ransomware is “not that very widespread (yet?).” Thus far, three samples of the DearCry ransomware were uploaded to VirusTotal on March 9 (the hashes for which can be found here).
Microsoft Exchange Attacks Doubling Every Hour
Exploitation activity for the recently patched Exchange flaws continue to skyrocket, with researchers this week warning the flaws are under fire from at least 10 different advanced persistent threat (APT) groups, all bent on compromising email servers around the world.
New research by Check Point Software said in the past 24 hours alone, the number of exploitation attempts on organizations have doubled every two to three hours.
Researchers said they saw hundreds of exploit attempts against organizations worldwide – with the most-targeted industry sectors being government and military (making up 17 percent of all exploit attempts), manufacturing (14 percent) and banking (11 percent).
Researchers warned that exploitation activity will continue — and urged companies that have not already done so to patch.
“Since the recently disclosed vulnerabilities on Microsoft Exchange Servers, a full race has started amongst hackers and security professionals,” according to Check Point researchers. “Global experts are using massive preventative efforts to combat hackers who are working day-in and day-out to produce an exploit that can successfully leverage the remote code-execution vulnerabilities in Microsoft Exchange.”
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
- March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
- April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)