DearCry ransomware targets vulnerable Exchange servers

Microsoft has confirmed that a new strain of ransomware is targeting vulnerable on-premise Microsoft Exchange Servers through the dangerous ProxyLogon vulnerabilities as cyber criminal groups zero in on those who have yet to, or are unable to, apply the advised patches.

Redmond said via a tweet that the new ransomware, Ransom:Win32/DoejoCrypt.A or DearCry, was being deployed with initial compromise through Exchange Server. It said users of Microsoft Defender who are receiving automatic updates should not need to take action, but on-prem Exchange users should prioritise the updates it has made available, more information on which is available here.

With more and more malicious actors piling in on the ProxyLogon vulnerabilities, the arrival of ransomware gangs was only a matter of time, and many observers had already predicted this would happen.

According to BleepingComputer, DearCry itself – which seems to have surfaced earlier in the week – appears a reasonably run-of-the-mill ransomware, but notably appears to contain no flaws that would enable victims to decrypt their data for free.

Callum Roxan, head of threat intel at F-Secure, said: “Latest reporting suggests that the vulnerability is being exploited by ransomware threat actors, so it is even more of an imperative that organisations patch immediately. It is highly likely any unpatched Exchange servers that are exposed to the internet are compromised already.”

Richard Hughes, head of technical security at security services provider A&O IT Group, said the emergence of DearCry was no surprise. “Bad actors will spend all of their waking hours looking for vulnerabilities to exploit and, in this case, they have been handed one on a plate and so, of course, they won’t be wasting the opportunity,” he said.

“Ransomware attacks are a major source of financial income for criminals, requiring little time or skill to execute, and while organisations continue to pay these ransoms, this will remain the case. The ProxyLogin vulnerability highlights that organisations should never be complacent where their security is concerned as the nature of zero-day vulnerabilities is such that you may have a vulnerability assessment completed today and still be the victim of an attack exploiting a new vulnerability that is discovered tomorrow.”

Meanwhile, the number of potential victims with vulnerable servers continues to spike, even as patching efforts ramp up. New data supplied to Computer Weekly by researchers at Spyse suggests that at the time of writing, it may be as high as 283,000, with only 26% of at-risk installations patched.

Check Point threat intelligence manager Lotem Finkelstein said he was seeing the number of attempted ProxyLogon exploits doubling every two to three hours in the past 24 hours (11-12 March) alone – with the most attacked verticals being government and military bodies, followed by manufacturing and financial services.

Given the longevity of the vulnerabilities, Finkelstein stressed the importance of not merely patching, but scanning networks for live threats and assessing all connected assets.

“Compromised servers could enable an unauthorised attacker to extract your corporate emails and execute malicious code inside your organisation with high privileges,” he said.

Calvin Gan, senior manager at F-Secure’s Tactical Defence Unit, added: “The increase in attack through the ProxyLogon vulnerabilities could also likely be because of a proof-of-concept [PoC] file being published in Github yesterday, which was quickly taken down by Microsoft.

“Attackers have been known to exploit this zero-day for a while before the patch has been released, and with the PoC now available publicly, albeit with some code bugs, there are bound to be some attackers who will adopt this to their toolset to launch an attack.”