Earlier this month, a Chinese cyberespionage group went to town on the vulnerabilities disclosed in Microsoft Exchange Server. It has mostly been a downhill ride since then. Hackers from every corner wanted a piece of those vulnerabilities to exploit. DearCry is a ransomware strain that has been riding the coattails of the vulnerabilities. But, is it really special?
What’s going on?
First off, DearCry is not really unique or sophisticated. Compared to the other ransomware strains parading around the threat landscape, this is an exceptionally crude one that lacks even the basic obfuscation tactics. Moreover, it favors human interaction instead of a C2 server. The ransomware encrypts specific files, which renders a computer inoperable. This is particularly not a common thing as victims would need their systems to transfer the ransom.
So, why are we still talking about it?
- The encryption approach taken by this ransomware matches that of WannaCry, however, not other similarities have been observed between the two.
- It creates new binaries for its new victims and the file types targeted vary from victim to victim.
- Experts believe that this is a prototype of a new ransomware variant and thus, has the capability to be very much dangerous.
Some stats your way
Although these stats are not directly related to DearCry, these are related to the vulnerabilities in Exchange servers and hence, should be considered.
- Hafnium has compromised at least 30,000 organizations in the U.S. alone, with hundreds of thousands of Exchange mail servers around the globe.
- There are still 10,000 unpatched systems in the U.S.
- As per research by Shadowserver and Kryptos Logic, 59,218 diverse possibly vulnerable Exchange servers have been detected on 59,142 unique IP addresses corresponding to 6501 different Autonomous System Numbers (ASNs), geo-locating to 211 different countries.
The bottom line
DearCry seems like a precursor to the other threats to follow. It is the first ransomware to leverage these flaws but it definitely, won’t be the last. Therefore, it is recommended that organizations patch on-premises Microsoft Exchange servers and keep a lookout for IOCs.