Organizations using Microsoft Exchange now have a new security problem: unprecedented ransomware being installed on servers already infected by state-sponsored hackers in China.
Microsoft reported the new family of ransomware deployed late Thursday, saying it was deployed after the initial compromise of servers. Microsoft’s name for the new family is Ransom:Win32/DoejoCrypt.A. The most common name is DearCry.
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, as well as DearCry.
— Microsoft Security Information (@MsftSecIntel) March 12, 2021
Piggyback on Hafnium
Security company Kryptos Logic said Friday afternoon that it detected Hafnium-compromised Exchange servers that were later infected with ransomware. Kryptos Logic security researcher Marcus Hutchins told Ars that the ransomware is DearCry.
“We just discovered 6,970 exposed web shells that have been made public and posted by actors exploiting the Exchange vulnerability,” according to Kryptos Logic. “These shells are used to deploy ransomware.” Web shells are backdoors that allow attackers to use a browser-based interface to execute commands and execute malicious code on infected servers.
We just discovered 6,970 exposed web shells that were made public and posted by actors exploiting the Exchange vulnerability. These shells are used to deploy ransomware. If you are logged in to Telltale (https://t.co/caXU7rqHaI), you can check that you are not bothered pic.twitter.com/DjeM59oIm2
— Kryptos Logic (@kryptoslogic) March 12, 2021
Anyone who knows the URL to one of these public web shells can take full control of the compromised server. The DearCry hackers use these shells to deploy their ransomware. The web shells were initially installed by Hafnium, the name Microsoft gave to a state-sponsored threat actor operating out of China.
Hutchins said the attacks are “human-operated,” meaning a hacker manually installs ransomware on one Exchange server at a time. Not all nearly 7,000 servers are affected by DearCry.
“Basically, we’re starting to see criminals using grenades left behind by Hafnium to gain a foothold in networks,” explains Hutchins.
The deployment of ransomware, which security experts say was inevitable, underscores an important aspect of the ongoing response to secure servers exploited by ProxyLogon. It is not enough just to install the patches. Without removing the web shells left behind, servers are left open to intrusion, either by the hackers who originally installed the backdoors or by other fellow hackers figuring out how to access them.
Little is known about DearCry. Security company Sophos said that it is based on a public key cryptosystem, with the public key embedded in the file the ransomware installs. This allows files to be encrypted without having to connect to a command-and-control server first. In order to decrypt the data, the victims must obtain the private key known only to the attackers.
What you need to know about #DearCry by Mark Loman (@markloman) Director, engineering firm, Sophos (one wire):
From an encryption point of view, DearCry is what Sophos ransomware experts refer to as “copy” ransomware.
— Sophos X-Ops (@SophosXOps) March 12, 2021
One of the first to discover DearCry was Mark Gillespie, a security expert who runs a service that helps researchers identify malware types. On Thursday he has reported that as of Tuesday, he began receiving inquiries from Exchange servers in the US, Canada and Australia for malware with the string “DEARCRY”.
He later found someone who posted on a user forum on Bleeping Computer stating that the ransomware was installed on servers previously exploited by Hafnium. Bleeping Computer soon confirmed the suspicion.
John Hultquist, a vice president at security firm Mandiant, said piggybacking on the hackers who installed the web shells could be a faster and more efficient way to deploy malware to unpatched servers than exploiting the ProxyLogon vulnerabilities. And as mentioned, even if servers are patched, ransomware operators can still compromise the machines if web shells are not removed.
“We expect more exploitation of the exchange’s vulnerabilities by ransomware actors in the near term,” Hultquist wrote in an email. “While many of the unpatched organizations may have been exploited by cyber-espionage actors, criminal ransomware operations could pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails.”
Update 7:40 PM EST: This post has been updated to remove “7000” from the headline and to clarify that not all of them are infected with ransomware.