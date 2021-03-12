



Opponents are deploying DearCry ransomware to victimized systems after hacking on-premises Microsoft Exchange servers that remain unpatched, Microsoft admitted Thursday evening. “Microsoft has seen a new family of human-powered ransomware attacks,” Phillip Misner, head of Microsoft’s security program, tweeted at 9:19 p.m. ET on Thursday. “Human-made ransomware attacks use vulnerabilities in Microsoft Exchange to exploit customers.” Misner’s tweet came less than two hours after BleepingComputer reported that threat actors were taking advantage of new zero-day ProxyLogin vulnerabilities in Microsoft Exchange servers to install DearCry ransomware. According to Microsoft Security Intelligence, Microsoft Defender customers who receive automatic updates are now protected against this ransomware without having to take any action. [Related: Exchange Breach: MSPs That Did Not Move On-Premise Exchange To The Cloud ‘Blew It’] “We have detected and are now blocking a new family of ransomware used after an initial compromise of unpatched on-premises Exchange servers,” Microsoft Security Intelligence tweeted Thursday at 11:53 p.m. ET. “Microsoft is protecting itself against this threat known as … DearCry.” Microsoft has asked on-premises Exchange Server customers to prioritize security updates released this week for customers who are unable to update their Exchange environment to a version for which Microsoft already has patches. There are still around 80,000 older servers that cannot directly apply Microsoft’s recent security updates, Palo Alto Networks told BleepingComputer. The DearCry ransomware attacks first came to public attention Thursday afternoon following a tweet from ID-Ransomware creator Michael Gillespie. “ID Ransomware receives a sudden swarm of submissions with” .CRYPT “and the file tag” DEARCRY! “from the IP addresses of Exchange servers in the United States, CA [Canada], AT [Australia] at a glance, ”Gillespie tweeted at 4:31 pm ET Thursday. Once launched, the DearCry ransomware will attempt to shut down a Windows service named “ msupdate, ” which does not appear to be a legitimate Windows service, Vitali Kremez, CEO of Advanced Intelligence, told BleepingComputer. For at least one of the victims, the DearCry ransomware operators demanded a ransom of $ 16,000, according to BleepingComputer. Once the computer’s encryption is complete, BleepingComputer reported that DearCry creates a simple ransom note named “ readme.txt ” which contains two email addresses for the ransomware operators as well as a unique hash. Bleeping Computer said the ransomware does not appear to have any weaknesses that would allow victims to recover their files for free. According to John Hultquist, vice president of analysis at Mandiant Threat Intelligence, more ransomware groups are expected to exploit Microsoft Exchange vulnerabilities in the near term. “Although many as yet unpatched organizations have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by distributing stolen emails,” said Hultquist in a statement. “Ransomware operators can monetize their access by encrypting emails or threatening to disclose them, a tactic they have recently adopted.” This Microsoft Exchange hack has taken on increased urgency lately, with ESET saying on Wednesday that at least 10 different advanced hacking groups were taking advantage of zero-day vulnerabilities. Several hacking groups had access to details of the vulnerabilities before Microsoft released its patch, meaning that the possibility that they reverse engineered Microsoft updates can be ruled out. Microsoft is studying if a leak could have triggered The mass exchange server is compromising ahead of the release of its fix, two sources with knowledge of the company’s response told Bloomberg on Friday. On February 26, four days before Microsoft released its fixes, attackers began to infiltrate Microsoft Exchange en masse as if they knew their window was about to close, Proofpoint’s Ryan Kalember told Bloomberg. If there was a leak, Bloomberg reported that it could have come from independent researchers or one of the company’s government or security partners. The leak could have been malicious or part of a separate security breach, sources told Bloomberg. Microsoft declined to comment on Bloomberg and did not immediately respond to a request for comment from CRN.

