Microsoft Exchange servers targeted by DearCry ransomware abusing ProxyLogon bugs

A threat actor is currently exploiting the ProxyLogon vulnerabilities to install ransomware on unpatched Microsoft Exchange email servers and encrypt their content, Microsoft confirmed today.

The attacks have been taking place since at least Tuesday, March 9, and were discovered after victim organizations uploaded copies of the ransom note on ID-Ransomware, a web-based tool for identifying the name of a ransomware strain that has encrypted a victim's systems.

Only six victims have been identified so far, according to Michael Gillespie, ID-Ransomware creator and an Emsisoft security researcher.

#Exchange Servers Possibly Hit With #Ransomware
ID Ransomware is getting sudden swarm of submissions with ".CRYPT" and filemarker "DEARCRY!" coming from IPs of Exchange servers from US, CA, AU on quick look. pic.twitter.com/wPCu2v6kVl

— Michael Gillespie (@demonslay335) March 11, 2021

The name of this new ransomware is DearCry, a name chosen based on a file marker found inside encrypted files; however, Microsoft Defender will also detect it as Ransom:Win32/DoejoCrypt.A.

We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.

— Microsoft Threat Intelligence (@MsftSecIntel) March 12, 2021

The attacks are small in scale, no new victims were spotted recently, and lone victims have been observed in Austria, Australia, Canada, Denmark, and the United States, according to security researcher MalwareHunterTeam.

Based on the IP address of the ID-Ransomware submissions, most of the victims are small companies, but one appears to be a larger entity, MalwareHunterTeam told The Record.

Also, not yet seen any new samples of this DearCry ransomware after the 3 samples that were uploaded to VT on the 9th (hashes of those samples already made public yesterday here: https://t.co/LKHhQL9MZM).

— MalwareHunterTeam (@malwrhunterteam) March 12, 2021

The attacks began before a public exploit for the ProxyLogon vulnerability was posted online, suggesting the attackers developed their own private exploit to attack unpatched Exchange email servers.

Once a server has been attacked and their data encrypted, files on the server have an extra .CRYPT file extension added at the end.

To decrypt their files, the ransomware asks for ransoms varying between $50,000 and $110,000, MalwareHunterTeam told The Record.

Gillespie, who analyzed the ransomware's encryption scheme, said he could not identify any weaknesses or coding mistakes that could be abused for decrypting files without paying the ransom.

Multiple sources in the cybersecurity industry have also told The Record that the ransomware appears to be a tool quickly put together in haste and has no ties to any large or well-known threat actor, at least, based on the evidence so far.

The attacks come as security experts have warned Exchange server owners over the past week to quickly patch their systems as ransomware gangs were expected to begin targeting their systems once they got their hands on a fully-working ProxyLogon exploit.