A new ransomware is targeting serious security flaws in Microsoft Exchange Server as administrators work to roll out patches.
Nicknamed ‘DearCry’, the ransomware leverages ProxyLogon vulnerabilities that attackers can use to bypass authentication, gain admin permissions to Exchange Servers, and write files to directories.
Cyber security researcher Michael Gillespie spotted the new ransomware last Friday, noticing attempts to load it onto servers in Canada, the US, and Australia.
Shortly after, Microsoft confirmed it had spotted DearCry and was updating Windows Defender to automatically block the ransomware.
Mark Loman, a ransomware expert with cyber firm Sophos, compared DearCry with the devastating WannaCry ransomware which exploited the EternalBlue Windows vulnerability.
“Both first create an encrypted copy of the attacked file, an approach we call ‘copy’ encryption, and then overwrite the original file to prevent recovery, what we call ‘in-place’ encryption,” Loman said.
“There are a number of other similarities between DearCry and WannaCry, including the names and the header added to encrypted files.
“These do not automatically link DearCry to WannaCry’s creator.”
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.
— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
Loman said DearCry also lacked usual features of ransomware designed to avoid detection by anti-virus software and that attackers are still updating the malware when going after certain victims.
“These and other signs suggest that DearCry may be a prototype, possibly rushed into use to seize the opportunity presented by the Microsoft Exchange Server vulnerabilities, or created by less experienced developers,” he said.
“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server.”
Further analysis of DearCry samples has suggested it merely combines simple cryptographic functions from the OpenSSL library with known Microsoft Exchange Server exploits in order to take advantage of organisations which were slow to issue patches.
A security researcher had published code to exploit the vulnerabilities on Microsoft-owned GitHub but it was quickly removed from the platform.
Critical vulnerabilities in Microsoft Exchange Server products had gone unnoticed for over 10 years and were actively being exploited by a Chinese advanced persistent threat (APT) group known as Hafnium.
The Austrailan Cyber Security Agency warned last week that a “large number” of Australian Exchange Servers were still unpatched and remained vulnerable to cyber attack.
And despite it being best practice not to pay ransom for unlocking files, international ransomware payments nearly trebled in 2020, according to data from Palo Alto’s latest Ransomware Threat Report.
The average ransom paid in 2020 was US$312,493 compared to US$115,123 in 2019.
Unfortunately, the success of ransomware for cyber crooks has helped the ransomware-as-a-service business model develop which Palo Alto expects to continue evolving in the coming years.
“The ease of success with ransomware attacks tells us that more financially motivated operators will continue appearing on the scene,” it said.
“Adversaries of all kinds are continually looking for organisations to target, and they know that ransomware is not only effective, but can also be low-effort, especially if using the ransomware-as-a-service model.”
