Getty Images
Now, organizations using Microsoft Exchange have a new security headache: ransomware that has never been seen before is being installed on thousands of servers already infected by state-backed hackers in China.
Microsoft report the new family of ransomware implementation late Thursday and said it is deployed after the initial compromise of servers. Microsoft’s name for the new family is Ransom: Win32 / DoejoCrypt.A. The more common name is DearCry.
We have detected and are now blocking a new family of ransomware used after an initial compromise of unpacked Exchange servers. Microsoft protects against this threat known as Ransom: Win32 / DoejoCrypt.A, and also as DearCry.
– Microsoft Security Intelligence (@MsftSecIntel) 12 March 2021
Back of Hafnium
The security firm Kryptos Logic said On Friday afternoon, the Exchange servers compromised by Hafnium tracked down what was later infected with ransomware. Kryptos Logic security researcher Marcus Hutchins told Ars that the ransomware is DearCry.
“We have just discovered 6970 exposed webshells that are publicly exposed and posted by actors exploiting the Exchange vulnerability,” Kryptos Logic said. “These shells are used to use ransomware.” Webshells are backdoors that allow attackers to use a browser-based interface to execute commands and execute malicious code on infected servers.
We have just discovered 6970 exposed webshells that are publicly exposed and posted by actors exploiting the Exchange vulnerability. These shells are used to use ransomware. If you are logged in to Telltale (https://t.co/caXU7rqHaI), you can make sure you are not affected pic.twitter.com/DjeM59oIm2
– Kryptos Logic (@kryptoslogic) 12 March 2021
Hutchins claims that the attacks are ‘human-controlled’, meaning that a hacker installs ransomware manually on one Exchange server at a time. Anyone who knows the URL to one of these public webshells can gain full control of the server. The hackers responsible for the infections use these shells to exploit the ransom. The web sleeve was initially installed by Hafnium, the name Microsoft gave to a state-sponsored threat actor working out of China. Not all of the nearly 7,000 servers were hit by DearCry.
“Actually, we’re starting to see criminal actors using shells that Hafnium left behind to gain a foothold in networks,” Hutchins explained.
Hafnium is one of at least nine APTs – an abbreviation for Advanced Persistent Threat Groups – that exploited Exchange vulnerabilities, ProxyLogon, which Microsoft used on March 2. According to researchers, most or possibly all of the APTs have ties to China. Researchers also said that as many as 100,000 servers had been exploited since January, when attacks were likely to begin.
The deployment of ransomware, which security experts say is inevitable, highlights an important aspect of the ongoing response to secure servers exploited by ProxyLogon. It is not enough to simply install the patches. Without removing the remaining webshells, servers remain open for intrusion, either by the hackers who originally installed the backdoors or by other fellow hackers figuring out how to access it.
Little is known about DearCry. The security company Sophos said that it is based on a crypto system with a public key, with the public key in the file that the ransomware installs. This allows files to be encrypted without first connecting to a command-and-control server. To decrypt the data, the victims must obtain the private key known only to the attackers.
What you need to know about #DearCry by Mark Loman (@markloman) Director, Office of Engineering Technology, Sophos (a thread):
Viewed from a coding behavior, DearCry is what Sophos ransomware experts call ‘Copy’ ransomware.
1/9
– SophosLabs (@SophosLabs) 12 March 2021
One of the first to discover DearCry was Mark Gillespie, a security expert who provides a service that helps researchers identify malware strains. Thursday he report that he started on Tuesday, he started receiving inquiries from Exchange servers in the US, Canada and Australia for malware with the string ‘DESCRIPTION’.
He later found someone posting on a user forum on Bleeping Computer and said that the ransom will be installed on servers that were first exploited by Hafnium. Bleeping Computer quickly confirmed the premonition.
John Hultquist, vice president at security firm Mandiant, said that ‘piggy backing’ on the hackers who installed the webshells was a faster and more effective way to use malware on unposted servers than using the ProxyLogon exploit vulnerabilities. And as already mentioned, even if servers are patched, ransom operators can still endanger the machines if webshells are not removed.
“We expect the eradication of vulnerability by ransomware actors to take more advantage in the short term,” Hultquist wrote in an email. “Although many of the organizations that are still not uploaded have been exploited by cyber-spying actors, criminal ransomware can pose a greater risk because it disrupts organizations and even blackmail victims by releasing stolen email.”
Post has been updated to remove “7,000” from the header and to make it clear that not everyone is infected with ransomware.