Dive Brief:
- Microsoft Security Intelligence detected and is blocking "a new family of ransomware" targeting unpatched Microsoft Exchange servers, the company said Thursday.
- Filemarkers labeled "DEARCRY!" were submitted to ransomware strain identification site ID-Ransomware from IPs of Microsoft Exchange in the U.S., Canada and Australia, according to security researcher Michael Gillespie on Thursday, before Microsoft confirmed the activity.
- Submissions on ID-Ransomware found human-operated DearCry ransomware installed on Microsoft Exchange servers, Bleeping Computer reported. Starting on Tuesday, submissions in the DearCry forum said the servers were compromised using ProxyLogon vulnerabilities, followed by DearCry.
Dive Insight:
The cybersecurity community has warned organizations of the threat posed by criminal gangs exploiting the Hafnium Microsoft Exchange hack.
As of Tuesday, Palo Alto Networks' Unit 42 estimated about 125,000 unpatched Exchange servers globally. At least 80,000 servers are so old, the patches Microsoft deployed are incompatible. Microsoft offered other guidance for older and unsupported Cumulative Updates on Monday.
Some security researchers say patching vulnerable servers now is too late, but Microsoft issued additional updates related to the on-premise servers on Thursday.
Enterprise detection teams may already have insights into highly prolific, and human-operated ransomware threats, including Maze (now Egregor), Ryuk, Conti, REvil and RagnarLocker. But their security tools have limits when up against human-operated malware.
Human-run malware was historically associated with nation-state operations, but now cybercriminal operations use the tactic. When performing a cyberattack, people can adjust the tactics, techniques and procedures (TTPs) of other groups, making ransomware attacks more difficult to prevent.
When DearCry is deployed, the ransomware attempts to shut down a "msupdate" Windows service, according to Bleeping Computer. "It is not known what this service is, but it does not appear to be a legitimate Windows service." From there, encryption begins using AES-256 + RSA-2048, or types of advanced encryption standard and asymmetric cryptography.
In at least one reported DearCry incident, the bad actors asked for $16,000.
When DearCry submissions started rolling into ID-Ransomware, it was too early to know definitely if the ransomware incidents were directly enabled by the Microsoft Exchange hack. The ID-Ransomware submissions suggest "there is data indicating six Exchange servers uploaded files consistent with ransomware. More evidence is needed for any other assessment," tweeted Katie Nickels, director of intelligence at Red Canary.
Microsoft's confirmation of a new family of ransomware places urgency to quickly deploy an Exchange server patch. Backups are a secondary priority to ensure continuity if a ransomware attack is already underway.
On Wednesday, Microsoft removed a proof of concept (PoC) exploit from GitHub for the ProxyLogon vulnerabilities in Microsoft Exchange, reported The Record. The Microsoft-owned open source company scrubbed the PoC as threats continued.