Summary
On March 2, Microsoft released patches for four zero-day vulnerabilities affecting Exchange Server 2013, 2016, and 2019 (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065). In the following weeks, attackers have been aggressively targeting vulnerable servers to install web shells that provide persistent remote access to infected servers. On March 9, attackers began installing a new ransomware variant known as DearCry or DoejoCrypt on infected servers. DearCry copies and encrypts files and then overwrites and deletes the originals, a tactic previously employed by WannaCry. The samples do not contain any command and control connection to start encryption, instead using a hard-coded key to begin encryption immediately at infection time.
If you are currently running a vulnerable Exchange server, we advise that you patch it immediately. Microsoft has released security updates and detailed technical guidance to help.
Protection
Netskope Threat Labs is actively monitoring DearCry. Currently, use of DearCry has been limited to vulnerable Exchange servers. Each victim is targeted with a different sample, but the attackers have not employed any evasion techniques. We expect DearCry to be chained with other attacks in the near future and to begin employing common evasion and obfuscation techniques as it matures.
DearCry ransomware samples are detected by Netskope Threat Protection as Gen:Variant.Ransom.DearCry.1. Netskope Advanced Threat Protection provides proactive coverage against DearCry using both our ML and heuristic-based static analysis engines and our cloud sandbox.
Gen.Malware.Detect.By.Sandboxindicates a sample that was detected by Netskope’s cloud sandboxGen.Malware.Detect.By.StHeurindicates a sample that was detected by one of Netskope’s static analysis engines
Hashes
- 2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff
- e044d9f2d0f1260c3f4a543a1e67f33fcac265be114a1b135fd575b860d2b8c6
- feb3e6d30ba573ba23f3bd1291ca173b7879706d1fe039c34d53a4fdcdf33ede
