Lots of information is currently being shared about the DearCry ransomware, and I thought it would be good to create an overview for you and myself. This overview will contain links to public sources that discuss the new DearCry ransomware that is currently hitting Microsoft Exchange servers.
The microsoft security team shared on Twitter that they have found a new ransomware attack. This new ransomware attack got dubbed ‘DearCry’ and that is how ‘DearCry’ was born.
Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel
— Phillip Misner (@phillip_misner) March 12, 2021
DearCry Ransomware
Phillip Misner, a member of Microsoft’s security research team, tweeted about Ransom:Win32/DoejoCrypt.A, which is also known as DearCry. He stated that multiple extension were increasingly being utilized. The extension are:
- .CRYPT
- .DEARCRY!
On the BleepingComputer website you can find a more detailed blog about the ransomware. There they explain how it is installed and which paths it utilizes. This news site explains how cyber criminals are in an arms race to be the first to exploit vulnerable systems, it also explains why the Exchange vulnerabilities are a gold mine for APT actors.
The ransomware can also be detected via the following detection names:
- Artemis!0E55EAD3B8FD
- BehavesLike.Win32.Generic.th
- Generic.Malware/Suspicious
- HEUR:Trojan-Ransom.Win32.Encoder.gen
- HEUR:Trojan-Ransom.Win32.Encoder.gen
- PossibleThreat.ARN.H
- Ransom:Win32/DoejoCrypt.A
- Ransom:Win32/generic.ali2000010
- Ransom.DearCry!1.D3C7 (CLOUD)
- Ransom.Win32.DEARCRY.THCABBA
- Ransom.Win32.DEARCRY.THCABBA
- Ransom.Win32.Gen.sa
- Trj/GdSda.A
- Trojan ( 005790de1 )
- Trojan ( 005790de1 )
- Trojan-Ransom.FileCrypter
- Trojan.Encoder.33592
- Trojan.Generic.D22C9B2C
- Trojan.GenericKD.36477740
- Trojan.GenericKD.36477740
- Trojan.GenericKD.36477740
- Trojan.GenericKD.36477740
- Trojan.GenericKD.36477740 (B)
- Trojan.Ransom.Filecoder
- Trojan.Win32.Encoder.j!c
- W32.Ransomware.Dearcry
- W32/Trojan.FOGJ-5046
- Win/malicious_confidence_60% (W)
- Win32:RansomX-gen [Ransom]
- Win32:RansomX-gen [Ransom]
- Win32.Troj.Undef.(kcloud)
- Win32.Trojan-Ransom.DearCry.B
- Win32/Ransom.Encoder.HgIASQcA
On VirusTotal, you can download an sample of the ransomware. Beware, it is active, and it should only be run in an isolated environment. A blog was also published, which explained how attackers can abuse the Proxylogon vulnerabilities. If you have not done it yet, go, and patch your Exchange servers.
Attacks on Microsoft Exchange servers using the ProxyLogon bugs began at the start of the year, but for almost two months, they remained under the radar and only exploited by a Chinese state-sponsored hacking group named Hafnium that installed web shells on Exchange email servers around the world to spy on targets. Mass-exploitation began last week after Microsoft made the attacks public and released patches.