Microsoft Exchange servers targeted by DearCry ransomware abusing ProxyLogon bugs
Catalin Cimpanu March 12, 2021

Microsoft Exchange servers targeted by DearCry ransomware abusing ProxyLogon bugs

Microsoft Exchange servers targeted by DearCry ransomware abusing ProxyLogon bugs

A threat actor is currently exploiting the ProxyLogon vulnerabilities to install ransomware on unpatched Microsoft Exchange email servers and encrypt their content, Microsoft confirmed today.

The attacks have been taking place since at least Tuesday, March 9, and were discovered after victim organizations uploaded copies of the ransom note on ID-Ransomware, a web-based tool for identifying the name of a ransomware strain that has encrypted a victim’s systems.

Only six victims have been identified so far, according to Michael Gillespie, ID-Ransomware creator and an Emsisoft security researcher.

The name of this new ransomware is DearCry, a name chosen based on a file marker found inside encrypted files; however, Microsoft Defender will also detect it as Ransom:Win32/DoejoCrypt.A.

The attacks are small in scale, no new victims were spotted recently, and lone victims have been observed in Austria, Australia, Canada, Denmark, and the United States, according to security researcher MalwareHunterTeam.

Based on the IP address of the ID-Ransomware submissions, most of the victims are small companies, but one appears to be a larger entity, MalwareHunterTeam told The Record.

The attacks began before a public exploit for the ProxyLogon vulnerability was posted online, suggesting the attackers developed their own private exploit to attack unpatched Exchange email servers.

proxylogon chain
Image: DomainTools

Once a server has been attacked and their data encrypted, files on the server have an extra .CRYPT file extension added at the end.

To decrypt their files, the ransomware asks for ransoms varying between $50,000 and $110,000, MalwareHunterTeam told The Record.

Gillespie, who analyzed the ransomware’s encryption scheme, said he could not identify any weaknesses or coding mistakes that could be abused for decrypting files without paying the ransom.

Multiple sources in the cybersecurity industry have also told The Record that the ransomware appears to be a tool quickly put together in haste and has no ties to any large or well-known threat actor, at least, based on the evidence so far.

The attacks come as security experts have warned Exchange server owners over the past week to quickly patch their systems as ransomware gangs were expected to begin targeting their systems once they got their hands on a fully-working ProxyLogon exploit.

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.