DearCry Ransomware Description
Cybercriminals have begun exploiting the four zero-day vulnerabilities discovered in Microsoft's Exchange servers to drop a new ransomware threat called DearCry on the compromised targets. The name of the new threat appears to be an homage to the infamous WannaCry ransomware that infected thousands of victims across the world a couple of years ago by exploiting a different set of Microsoft vulnerabilities.
The DearCry malicious campaign relies on the Microsoft Exchange Server compromises via ProxyLogon vulnerabilities to obtain illegal access to the targeted devices. Infosec researchers have already discovered close to 7000 webshells that are exposed to the public and used by the hackers to deploy DearCry. Analysis of the underlying code of the threat reveals that it goes after approximately 80 different file types:
.TIF, .TIFF, .PDF, .XLS, .XLSX, .XLTM, .PS, .PPS, .PPT, .PPTX, .DOC, .DOCX, .LOG, .MSG, .RTF, .TEX, .TXT, .CAD, .WPS, .EML, .INI, .CSS, .HTM, .HTML, .XHTML, .JS, .JSP, .PHP, .KEYCHAIN, .PEM, .SQL, .APK, .APP, .BAT, .CGI, .ASPX, .CER, .CFM, .C, .CPP, .GO, .CONFIG, .PL, .PY, .DWG, .XML, .JPG, .BMP, .PNG, .EXE, .DLL, .CAD, .AVI, .H, .CSV, .DAT, .ISO, .PST, .PGD, .7Z, .RAR, .ZIP, .ZIPX, .TAR, .PDB, .BIN, .DB, .MDB, .MDF, .BAK, .LOG, .EDB, .STM, .DBF, .ORA, .GPG, .EDB, .MFS.
All files that fall within the set will be encrypted with a combination of AES-256 and RSA-2048 and will be rendered both inaccessible and unusable. The threat will inject the string 'DEARCRY!' into the file headers while '.CRYPT' will be appended to the original filenames as a new extension. DearCry will enumerate all of the logical drives connected to the system before initiating its encryption routine, excluding any CD-ROM drives.
The ransom note with instructions for the victims is extremely short and lacks any meaningful details outside of two email addresses that the attackers leave as communication channels. Victims are supposed to initiate contact by sending a message to either 'firstname.lastname@example.org' or 'email@example.com.' The messages must include the specific hash string found inside the ransom note.
Microsoft has issued an official warning regarding the DearCry ransomware and advising on-premises Exchange Server customers to update their systems with the recently released Exchange Server security updates.