zephyr_p - stock.adobe.com

DearCry ransomware impacting Microsoft Exchange servers

While only a small number of DearCry ransomware victims have been reported at this time, the infections have hit organizations in the U.S., Canada, Australia and beyond.

First, there was WannaCry. Now, there is DearCry.

A new family of ransomware known as Ransom:Win32/DoejoCrypt.A, or "DearCry," has infected an unknown number of organizations through multiple zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server, which were initially exploited by various threat actors, including a Chinese nation-state group.

The earliest DearCry report came Tuesday from Michael Gillespie, creator of free ransomware identification service ID Ransomware, who tweeted Thursday that a new variant with "DEARCRY!" file markers was being submitted from Exchange servers into the ID Ransomware system.

Gillespie said that, as of Thursday, he had seen six unique IP addresses from the United States, Canada, and Australia attributable to DearCry reported into ID Ransomware. MalwareHunterTeam, a security researcher collective associated with ID Ransomware, said in a tweet to have seen reports from victims in Austria and Denmark as well.

On Thursday evening, BleepingComputer published a report on the ransomware and connected it to the Microsoft Exchange Server vulnerabilities, the most serious of which is known as ProxyLogon. Microsoft made its first direct comment on DearCry later that evening in a tweet by Microsoft Security Intelligence.

"We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry," the tweet read.

SearchSecurity contacted Microsoft for further details about the threat, though the company did not respond at press time. Microsoft recommended that owners of on-premises versions of Exchange Server install the latest security updates as soon as possible. Threat researchers have also recommended organizations conduct full investigations into their Exchange environments, because threat actors may be able to maintain access even after patches are applied. To that end, Microsoft previously released two detection tools that help organizations scan for indicators of compromise and malicious web shells.

The situation involving the Exchange Server ProxyLogon vulnerabilities has dramatically escalated since their disclosure and patching on March 2. Antimalware vendor ESET published research Wednesday that at least 10 APT groups were actively exploiting the vulnerabilities.

"It is still unclear how the distribution of the exploit happened, but it is inevitable that more and more threat actors, including ransomware operators, will have access to it sooner or later," the post read.

There is no known connection between WannaCry and DearCry, but the newer ransomware's name could be a reference to 2017's infamous wormable variant that spread globally and cost billions of dollars.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

Timeline of Microsoft Exchange Server attacks raises questions

Nearly 100,000 web shells detected on Exchange servers

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing