Now organizations using Microsoft Exchange have a new security headache: never-before seen ransomware that’s being installed on thousands of servers that were already infected by state-sponsored hackers in China.
Microsoft reported the new family of ransomware deployment late Thursday, saying that it was being deployed after the initial compromise of servers. Microsoft’s name for the new family is Ransom:Win32/DoejoCrypt.A. The more common name is DearCry.
We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.
— Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
Piggybacking off Hafnium
Security firm Kryptos Logic said Friday afternoon that it has detected close to 7,000 compromised Exchange servers that are being infected with ransomware. Kryptos Logic security researcher Marcus Hutchins told Ars that the ransomware is DearCry.
“We’ve just discovered 6970 exposed webshells which are publicly exposed and were placed by actors exploiting the Exchange vulnerability,” Kryptos Logic said. “These shells are being used to deploy ransomware.” Webshells are backdoors that allow attackers to use a browser-based interface to run commands and execute malicious code on infected servers.
We’ve just discovered 6970 exposed webshells which are publicly exposed and were placed by actors exploiting the Exchange vulnerability. These shells are being used to deploy ransomware. If you’re signed up to Telltale (https://t.co/caXU7rqHaI) you can check you’re not affected pic.twitter.com/DjeM59oIm2
— Kryptos Logic (@kryptoslogic) March 12, 2021
Anyone who knows the URL to these public webshells can gain complete control over the compromised server. The hackers responsible for the infections are using these shells to deploy the ransomware. The webshells were initially installed by Hafnium, the name Microsoft has given to a state-sponsored threat actor operating out of China.
“Basically we’re starting to see criminal actors using shells left behind by Hafnium to get a foothold into networks,” Hutchins explained.
Hafnium is one of at least nine APTs—short for advanced persistent threat groups—that have exploited Exchange vulnerabilities known as ProxyLogon, which Microsoft patched on March 2. Most or possibly all of those APTs have ties to China, researchers have said. Researchers have also said that as many as 100,000 servers have been exploited since January, when attacks likely began.
The deployment of ransomware, which security experts have said was inevitable, underscores a key aspect about the ongoing response to secure servers exploited by ProxyLogon. It’s not enough to simply install the patches. Without removing the webshells left behind, servers remain open to intrusion, either by the hackers who originally installed the backdoors, or by other fellow hackers who figure out how to gain access to them.
Little is known about DearCry. Security firm Sophos said that it’s based on a public-key cryptosystem, with the public key embedded in the file that installs the ransomware. That allows files to be encrypted without the need to first connect to a command-and-control server. To decrypt the data, victims’ must obtain the private key that’s known only to the attackers.
From an encryption-behavior view, DearCry is what Sophos ransomware experts call a ‘Copy’ ransomware.
— SophosLabs (@SophosLabs) March 12, 2021
Among the first to discover DearCry was Mark Gillespie, a security expert who runs a service that helps researchers identify malware strains. On Thursday, he reported that beginning on Tuesday he started receiving queries from Exchange servers in the US, Canada, and Australia for malware that had the string “DEARCRY.”
He later found someone posting to a user forum on Bleeping Computer saying the ransomware was being installed on servers that had first been exploited by Hafnium. Bleeping Computer soon confirmed the hunch.
John Hultquist, a vice president at security firm Mandiant, said piggy backing on the hackers who installed the webshells can be a faster and more efficient means to deploy malware on unpatched servers than exploiting the ProxyLogon vulnerabilities. And as already mentioned, even if servers are patched, ransomware operators can still compromise the machines when webshells haven’t been removed.
“We are anticipating more exploitation of the exchange vulnerabilities by ransomware actors in the near term,” Hultquist wrote in an email. “Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails.”