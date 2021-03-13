



Organizations currently using Microsoft Exchange have new security issues. No ransomware has ever been installed on a server already infected with a state-sponsored hacker in China.

Microsoft reported a new family of ransomware deployments late Thursday, stating that it was deployed after the first breach of the server. The name of the new family of Microsoft is Ransom: Win32 /DoejoCrypt.A. The more common name is DearCry.

After the first unpatched on-premises Exchange Server was compromised, it has detected and is currently blocking a new family of ransomware in use. Microsoft protects against this threat known as Ransom: Win32 /DoejoCrypt.A and DearCry.

Microsoft Security Intelligence (@MsftSecIntel) March 12, 2021 Hafnium piggyback ride

Security firm Kryptos Logic said Friday afternoon that it had detected a hafnium-infected Exchange server that was later infected with ransomware. Marcus Hutchins, a security researcher at Kryptos Logic, told Ars that the ransomware is DearCry.

According to Kryptos Logic, we have just discovered the 6970 published web shell that has been published and deployed by an attacker who exploits an Exchange vulnerability. These shells are used to deploy ransomware. Webshell is a backdoor that allows an attacker to execute commands using a browser-based interface and execute malicious code on an infected server.

We have discovered 6970 published web shells that have been exposed and deployed by actors exploiting Exchange vulnerabilities. These shells are used to deploy ransomware. If you’re signed up for Telltale (https://t.co/caXU7rqHaI), you can be sure you’re not affected pic.twitter.com/DjeM59oIm2

Kryptos Logic (@kryptoslogic) March 12, 2021

Anyone who knows the URL to any of these public web shells has full control over the compromised server. DearCry hackers use these shells to deploy ransomware. The webshell was originally installed by Hafnium. Hafnium is the name Microsoft gave to threat actors sponsored by countries operating in China.

Hatchin means that an attack is “human-controlled.” That is, hackers manually install ransomware on one Exchange server at a time. Not all nearly 7,000 servers were attacked by DearCry.

Basically, he was beginning to see criminals building a foothold in the network using the shells left by Hafnium, Hutchins explained.

The ransomware deployment, which security experts have said is unavoidable, highlights an important aspect of ongoing response to secure servers exploited by ProxyLogon. Installing the patch is not enough. Without removing the remaining web shell, the server remains open to intrusions by the hacker who originally installed the backdoor, or another hacker who found a way to access the backdoor.

Little is known about DearCry. Security company Sophos said it is based on a public key cryptosystem in which the public key is embedded in the files that install the ransomware. This allows you to encrypt files without first connecting to a command and control server. To decrypt the data, the victim needs to obtain a private key that only the attacker knows.

#DearCry by Mark Loman (@markloman) What you need to know about Sophos Engineering Technology Office Director (Thread):

From an encryption perspective, DearCry is what Sophos ransomware experts call copy ransomware.

1/9

SophosLabs (@SophosLabs) March 12, 2021

DearCry was first discovered by security expert Mark Gillespie, who runs a service that helps researchers identify malware strains. On Thursday, he reported that from Tuesday he began receiving queries from Exchange servers in the United States, Canada, and Australia for malware with the string DEARCRY.

He later found someone on the Bleeping Computer user forums posting that ransomware was installed on the server that was first exploited by Hafnium. Bleeping Computer quickly confirmed that premonition.

John Hultquist, vice president of security firm Mandiant, said helping hackers with Webshell install malware to deploy malware to unpatched servers rather than exploiting a ProxyLogon vulnerability. He said it could be a fast and efficient tool. Also, as mentioned earlier, even if the server is patched, the ransomware operator can endanger the machine if the web shell is not removed.

In email, Hultquist expects ransomware attackers to exploit the exchange vulnerability in the short term. While many unpatched organizations can be abused by cyber-spy activists, ransomware criminal manipulation has confused organizations and released stolen emails to kill victims. Extortion can pose a greater risk.

The post has been updated to remove “7,000” from the headline, making it clear that not all are infected with ransomware.







