DearCry Ransomware Targets Microsoft Exchange Servers

Microsoft recently issued an alert and a temporary fix after threat actors released a type of ransomware called DearCry. The ransomware supposedly attacked thousands on unpatched Microsoft Exchange servers, with hundreds of thousands of servers made vulnerable to the said attack.

According to Bloomberg, the latest ransomware attack touted as DearCry comes after the tech giant experienced a data breach in the past week, where it came across four flaws under its Microsoft Exchange systems.

Bleeping Computer reveals that Michael Gillespie first became aware of the issue after numerous submissions have been made on his system, a ransomware identification website called ID-Ransomware. The submissions started on March 9, 2021, where Gillespie saw a barrage of ransom notes and protected files on his website.

DearCry Targets Microsoft Exchange Servers

After conducting his investigation, Bleeping Computer states that Gillespie found that almost all of the submissions came from the Exchange servers.

Less than two hours after that the zero-day ProxyLogin vulnerabilities were reported by the said website, Microsoft Security Program Manager Phillip Misner took to social networking platform Twitter to tweet the following, “Microsoft observed a new family of human operated ransomware attack customers. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”

The computer company believes that the threat actors behind this are state-backed hackers from China called Hafnium, notes ZD Net. However, ESET, a security vendor, discovered that approximately 10 state-backed hacking groups are found to working all at the same time to exploit the current vulnerabilities presented in the said Exchange servers.

Based on the findings of Bleeping Computer, DearCry works by dropping a ransom note, referred to as ‘readme.txt’ after a server in question has already been compromised. This note reportedly contains a ransom payment amounting to $16,000 being required by the threat actors to be paid into the email addresses provided in the note.

Following the incident, Bloomberg reports that Microsoft released updates on Friday, March 12, 2021, to issue a temporary fix on the unpatched Exchange servers.

In a blog post, the company said that “This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs [security updates].”

After issuing a fix, Bloomberg states that the massive number of affected systems came down to around 83,000. However, Bleeping Computer states that some of these operate on older models, meaning the patch issued by Microsoft cannot be easily applied to its systems.