Sophos uncovers more ransomware after increased attacks on Microsoft Exchange servers

Following the reporting of the Microsoft Exchange vulnerabilities and the out-of-band release of security patches on March 2nd, Sophos security researchers have started to identify other adversaries beyond Hafnium exploiting these bugs to launch attacks. One of these is DearCry ransomware.

Sophos has published an analysis of samples of DearCry ransomware: DearCry attacks exploit Exchange server vulnerabilities. The article outlines some new and interesting discoveries about its encryption behaviour and more.

According to ransomware expert at Sophos and director, engineering technology office, Mark Loman, the analysis uncovered a rare encryption attack behaviour which is a ‘hybrid’ approach.

The only other ransomware I’ve investigated over the years that employed a hybrid approach was WannaCry, and this was auto spreading rather than human-operated like DearCry. Both first create an encrypted copy of the attacked file, an approach we call ‘copy’ encryption and then overwrite the original file to prevent recovery, what we call ‘in-place’ encryption.

Mark Loman

“‘Copy’ ransomware allows victims to potentially recover some data. However, with ‘in-place’ encryption, recovery via undelete tools is impossible. Notorious human-operated ransomware like Ryuk, REvil, BitPaymer, Maze and Clop, use ‘in-place’ encryption only,” he said.

DearCry exhibits a number of unusual characteristics, including the fact that the ransomware actor has been creating new binaries for new victims. The list of file types targeted has evolved from victim-to-victim too.

Mark Loman pointed out that the Sophos analysis further shows that the code does not come with the kind of anti-detection features one would normally expect with ransomware, like packing or obfuscation. These and other signs suggest that DearCry may be a prototype, possibly rushed into use to seize the opportunity presented by the Microsoft Exchange Server vulnerabilities, or created by less experienced developers.

“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. If this is not possible, the server should be disconnected from the internet or closely monitored by a threat response team,” he said.