Malicious actors are abusing the recently patched ProxyLogon flaws to install ransomware on unpatched Microsoft Exchange servers. Microsoft said that it detected a new ransomware strain called ‘DearCry’ that is deployed after the initial compromise of a vulnerable exchange server.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft said in a tweet.
According to FortiGuard Labs, the DearCry (DoejoCrypt) ransomware attack chain targets Microsoft Exchange servers able to receive untrusted connections from an external source. Once installed, the DearCry ransomware creates encrypted copies of the attacked files and deletes the originals.
“The DearCry ransomware uses AES-256 encryption during its encryption routine to encrypt targeted files and then uses an RSA-2048 key to encrypt the AES key for further damage. Complicating things further, the public-key cryptosystem used to encrypt these files has its public encryption key embedded in the ransomware binary, which means that DearCry does not need to contact the attacker’s command-and-control server to encrypt files on the server. As a result, even Exchange Servers setup to only allow internet access to the Exchange services will still become encrypted. Without the decryption key, which is held by the attackers, decryption is not possible,” the researchers explained.
According to Emsisoft security researcher Michael Gillespie, the attacks apparently started on March 9 and were discovered after victims began uploading copies of ransomware note on ID-Ransomware, a service for identifying the ransomware that encrypted a victim’s machine. So far, only six victims of DearCry were identified mostly from the United states, Canada, Austria and Australia.
The Exchange vulnerabilities have been part of a large-scale attack activity observed in the last week, with several individual APT groups aiming to exploit the flaws. According to the cybersecurity firm ESET, at least 10 state-sponsored hacking groups focused on cyber-espionage have exploited the flaws in the Exchange Server software in recent days in operations around the world, with many of them known to have ties with China. These include Winnti Group, Tonto Team (aka CactusPete), Mikroceen APT, LuckyMouse, Tick, Calypso, and others.