Malicious cyber actors are attacking unpatched Microsoft Exchange servers with the DearCry ransomware. The DearCry ransomware exploited victims’ systems.
This malicious software took over servers exposed by the ProxyLogon vulnerability, increasing the volume of attacks on this vector.
There’s been an increase in ransomware attacks lately. Check Point detected a spike in attacks targeting unpatched Microsoft Exchange servers.
On March 14, Microsoft estimated that 82,000 Exchange servers were vulnerable. According to RiskIQ data, the number of exposed machines fell to around 30,000 a week later.
But, Check Point showed over 50,000 attack attempts at various organizations. This included:
- banking, and
- manufacturing organizations.
In all, 49 percent of the attacks targeted U.S organizations only.
WannaCry Making a Comeback as DearCry?
The latest DearCry ransomware has revealed an unusual encryption attack behavior like WannaCry.
Mark Loman, director at Sophos, analyzed samples obtained from a deflected attack on one of their clients.
The analysis revealed the ransomware was crude and did little to conceal its presence. Thus, created by someone with rudimentary skills.
But, Loman’s analysis identified a similar hybrid encryption approach to WannaCry.
Both generate an encrypted copy of the attacked file, a technique we call ‘copy’ encryption. Then, overwrites the original file to block recovery, a technique we call ‘in-place encryption,Mark Loman, director at Sophos
He added that victims of copy ransomware could recover some of their data. But, with in-place encryption, recovery via undelete tools is impossible.
BitPaymer, Ryuk, REvil, and Maze are well-known human-operated ransomware using in-place encryption only.
In addition to these similarities, the WannaCry and DearCry have similar names and header added to encrypted files.
He also pointed out that these similarities don’t mean they have the same creator. After all, he’d found inherent differences between WannaCry and DearCry too.
For instance, DearCry doesn’t have a timer or use an embedded RSA encryption key or command-and-control (C2) server.
Another critical thing to note is the ransomware attacks one system at a time; not every machine on the target’s network.
Other DearCry features include;
- creating new binaries for new victims, and an
- unsophisticated anti-detection approach.
All these features suggest that DearCry was either rushed or a prototype.
What’s the Way Out?
DearCry places a “readme.txt” file in every system folder with the word “desktop.” It also puts the file in the system disk root folder and tells the victims what happened and who to contact.
This ransom note includes two email addresses as well as a hash. This hash acts as a unique identifier for the attacker, indicating which decryption key corresponds to which attack.
Since a server vulnerability caused the ransomware attack, installing patches is the next logical step.
Or disconnect their servers from the internet if patching is impossible. At least until there’s a viable solution, Loman explained.
Microsoft Corporation is a global technology company based in Redmond, Washington, United States. It manufactures, sells, and facilitates consumer electronics, computer software, and personal computers.
The Microsoft browsers, Microsoft Office Suite, and Windows OS line are its popular software products. Besides this, Microsoft also runs its line of servers for enterprises.