Unpatched Exchange Servers hit with ransomware
- By Susan Miller
- Mar 15, 2021
Microsoft Exchange Servers that have not been upgraded with the latest security patches are getting hit with "DearCry" ransomware, Microsoft warned.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft Security Intelligence tweeted March 11.
This new threat takes advantage of web shells or backdoors installed by the Hafnium group that exploit four zero-day Exchange Server flaws. A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine, according to the Cybersecurity and Infrastructure Security Agency. The attack was initially thought to be designed for widespread government and industry espionage campaigns, but now attackers are now using those web shells to install ransomware.
The new development was first detected and reported by security researcher Michael Gillespie after he noticed a “sudden swarm” of submissions to his ID-Ransomware website, according to a Threatpost article. After analyzing the reports, Gillespie realized the attacks were hitting Exchange servers.
The DearCry ransomware uses AES-256 and RSA-2048 to encrypt victim files and changes file headers to include the string ‘DEARCRY!’ A ransomware note and a hash are displayed on the victim’s desktop, along with an email address the victim is asked to contact, Palo Alto Networks Unit 42 global threat intelligence team wrote. “All logical drives on the Windows operating system, except for CD-ROM drives, are enumerated on the victim’s system so that the ransomware can begin to encrypt files using an RSA public key,” they said.
Security firm Kryptos Logic tweeted it has detected nearly 7,000 exposed web shells on compromised Exchange servers that can be seeded with ransomware.
The attacks are “human operated,” meaning the ransomware is manually installed, one-by-one, on each vulnerable server, Kryptos Logic security researcher Marcus Hutchins told Ars Technica. Not all of the nearly 7,000 servers have been hit by DearCry, he added.
Taking advantage of previously installed web shells “can be a faster and more efficient means to deploy malware on unpatched servers than exploiting the specific Exchange flaws,” John Hultquist, a vice president at security firm Mandiant, told Ars.
The speed with which the vulnerabilities were converted to ransomware was remarkable, Allan Liska with Recorded Future told Redmondmag.
"What this shows is the acceleration of the development of the ransomware actors and their maturity," he said. "If you go back to ZeroLogin, which was released in August, we didn't see ransomware actors exploiting that until October, which was a two-month gap. Here there was a nine-day gap. It shows how quickly they're growing and maturing in terms of being able to take advantage of exploits."
Even after the Exchange Servers are patched, attackers can take advantage of the web shells that were installed while the servers were still vulnerable. Organizations must scrub their systems to remove of all web shells.
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.