DEARCRY is targeting Microsoft Exchange servers with ProxyLogon exploits

Newly discovered ransomware, DEARCRY has been found to being distributed via hacking Microsoft Exchange servers.


The hack is possible because of recently disclosed ProxyLogon Vulnerabilities (four vulnerabilities CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065).

By exploiting these vulnerabilities, attackers can perform remote execute on Microsoft Exchange servers utilizing Outlook on the web (OWA).

On 9th of December, a number of victims began submitting a new ransom not and encrypted files to the system belongs to the Michael Gillespie, the creator of ID-Ransomware – a ransomware identification site. Gillespie found that the submitted almost all were from Microsoft Exchange servers.

Also, on different forums, there was a topic where people discussing that Microsoft Exchange server was compromised using the ProxyLogon vulnerability and the Dearcry ransomware was the payload.

Today, Microsoft confirmed on this that the DEARCRY is installed in human-open attacks on Microsoft Exchange servers through the stated vulnerabilities.

MalwareHunterTeam found three samples of this ransomware on VirusTotal. These are compiled with MingW executables. One of them has the following path:

C:\Users\john\Documents\Visual Studio 2008\Projects\EncryptFile -svcV2\Release\EncryptFile.exe.pdb

Vitali Kremez from Advanced Intel stated, after successfully being launched, the DEARCRY tries to shut down a window service – “msupdate” (which is not a legit window service).

The ransomware encrypts stored files after this, appends the filenames with .CRYPT extension and DEARCRY! String at the beginning of each encrypted file. The encryption is done using AES-256 + RSA+2048 encryption algorithm.

After that, the ransomware drops ransom note under a file named readme.txt on the desktop. The ransom note contains ransom demanding message, email addresses belong to the crooks and a unique hash (which is an MD4 hash of the RSA public key, according to Gillespie).

At present, the ransomware does not have any weaknesses that would allow victims recover their files for free.

The Good news is that, tens of thousands of Microsoft Exchange servers have been patched over last three days. However, there is still approximately 80, 000 older servers that cannot directly apply the recent security updates, said Palo Alto Networks.

Matt Kraning, Chief Technology Officer, Cortex at Palo Alto Networks, said, “I’ve never seen security patch rates this high for any system, much less one as widely deployed as Microsoft Exchange. Still, we urge organizations running all versions of Exchange to assume they were compromised before they patched their systems, because we know attackers were exploiting these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2.”