Getty Images
Now, organizations using Microsoft Exchange have a new security headache: ransomware never seen before being installed on thousands of servers that have already been infected by state-sponsored hackers in China.
Microsoft reported the new ransomware deployment family on Thursday night, saying it was being deployed after the servers’ initial compromise. Microsoft’s name for the new family is Ransom: Win32 / DoejoCrypt.A. The most common name is DearCry.
We have detected and are now blocking a new family of ransomware from being used after an initial compromise of unpatched local Exchange Servers. Microsoft protects against this threat known as Ransom: Win32 / DoejoCrypt.A and also as DearCry.
– Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021
Leveraging Hafnium
Security company Kryptos Logic said On Friday afternoon, he detected Hafnium-compromised Exchange servers that were later infected with ransomware. Kryptos Logic security researcher Marcus Hutchins told Ars that the ransomware is DearCry.
“We just discovered 6970 exposed webshells that are publicly exposed and placed by actors who exploit the Exchange vulnerability,” said Kryptos Logic. “These shells are being used to deploy ransomware.” Webshells are backdoors that allow attackers to use a browser-based interface to execute commands and execute malicious code on infected servers.
We just discovered 6970 webshells publicly exposed and placed by actors who exploit the Exchange vulnerability. These shells are being used to deploy ransomware. If you signed up for Telltale (https://t.co/caXU7rqHaI), you can verify that you are not affected pic.twitter.com/DjeM59oIm2
– Kryptos Logic (@kryptoslogic) March 12, 2021
Hutchins says the attacks are “operated by humans”, which means that a hacker manually installs the ransomware on one Exchange server at a time. Anyone who knows the URL for one of these public webshells can gain complete control over the compromised server. The hackers responsible for the infections are using these wrappers to deploy the ransomware. The webshells were initially installed by Hafnium, the name that Microsoft gave to a state-sponsored threat agent operating outside of China. Not all of the nearly 7,000 servers have been hit by DearCry.
“Basically, we are starting to see criminal actors using projectiles left by Hafnium to establish themselves in the networks,” explained Hutchins.
Hafnium is one of at least nine APTs – short for advanced persistent threat groups – that exploited Exchange vulnerabilities known as ProxyLogon, which Microsoft fixed on March 2. Most or possibly all of these APTs have ties to China, the researchers said. The researchers also said that up to 100,000 servers have been exploited since January, when the attacks likely began.
The deployment of ransomware, which security experts said was inevitable, highlights an important aspect of the continued response to secure servers exploited by ProxyLogon. It is not enough to simply install the patches. Without removing the webshells left behind, the servers remain open to intrusion, either by the hackers who originally installed the backdoors, or by other hackers who figure out how to gain access to them.
Little is known about DearCry. Security company Sophos said which is based on a public key cryptosystem, with the public key embedded in the file that installs the ransomware. This allows files to be encrypted without having to connect to a command and control server first. To decrypt the data, victims must obtain the private key that is known only to attackers.
What you need to know about #DearCry by Mark Loman (@markloman) Director, engineering technology office, Sophos (one segment):
From the standpoint of cryptographic behavior, DearCry is what Sophos ransomware experts call the ‘Copy’ ransomware.
1/9
– SophosLabs (@SophosLabs) March 12, 2021
One of the first to discover DearCry was Mark Gillespie, a security expert who runs a service that helps researchers identify strains of malware. On Thursday, he reported that as of Tuesday he started receiving queries from Exchange servers in the US, Canada and Australia for malware that had the string “DEARCRY”.
He after found someone posting on a user forum on Bleeping Computer reporting that the ransomware was being installed on servers that had been exploited for the first time by Hafnium. Biping Computer soon confirmed the hunch.
John Hultquist, vice president of security company Mandiant, said that hitchhiking hackers who installed webshells could be a faster and more efficient way to deploy malware on unpatched servers than exploiting ProxyLogon’s vulnerabilities. And as already mentioned, even if the servers are fixed, ransomware operators can still compromise the machines when the webshells have not been removed.
“We are anticipating further exploitation of the swap vulnerabilities by ransomware actors in the short term,” wrote Hultquist in an email. “While many of the organizations still unpatched may have been exploited by cyber espionage agents, criminal ransomware operations can pose a greater risk, as they disorganize organizations and even extort victims by releasing stolen emails.”
Updated post to remove “7,000” from the title and make it clear that not everyone has been infected with ransomware.