While large-scale attack activity against the Exchange flaws disclosed last week continues, some actors are now following up their intrusions by installing a new strain of ransomware known as DearCry.
The ransomware began appearing on Tuesday, and researchers quickly identified that it was being used in conjunction with exploits for the Exchange flaws. Microsoft security officials said Thursday night that the company was already blocking DearCry.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” the Microsoft Security Intelligence team said.
The DearCry ransomware installations are human operated, according to Microsoft, meaning they’re not part of an automated chain. Researchers said the first samples of DearCry surfaced on Tuesday, just as attacks against the Exchange bugs, known as ProxyLogon, were ramping up. There are public exploits available for the flaws and MIcrosoft, CISA, and security researchers have been urging customers to install the patches immediately, given the ease of exploitation and the volume of activity.
The Exchange vulnerabilities have been the targets of a massive amount of exploit activity in the last week, with several individual APT groups going after them. Researchers at ESET discovered as many as 10 separate APT groups exploiting the Exchange vulnerabilities in the last few days, several of which are centered in China, but not all.
“The day after the release of the patches, we started to observe many more threat actors scanning and compromising Exchange servers en masse. Interestingly, all of them are APT groups focused on espionage, except one outlier that seems related to a known coin-mining campaign,” said Matthieu Faou of ESET.
In most cases, the attackers who exploit the Exchange flaws are going after sensitive information in email and elsewhere. But when the details of the vulnerabilities first became public, researchers warned that it was likely only a matter of time before ransomware actors entered the picture, as well. The initial details about DearCry are sparse, but it does not appear to be anything unusual. Researchers at Malware Hunter Team found that the ransomware creates a new service named “msupdate” after installation that it uses to start encrypting files.
Organizations that have not installed the Exchange patches yet, should so immediately. But with the volume of attack activity targeting vulnerable servers, any unpatched server shold be considered compromised at this point.