Microsoft Exchange servers exposed with ProxyLogon exploit
According to an announcement made by Microsoft today, a malicious actor has been found abusing the ProxyLogon vulnerabilities of Microsoft Exchange email servers in an attempt to inject ransomware into the unpatched systems. The malware used in the attack goes under the name of DearCry and seeks to encrypt the content of the unprotected servers in order to demand a ransom.
The DearCry Ransomware
From what has been revealed so far, it seems that the attackers behind DearCry have decided to take advantage of the ProxyLogon bugs by developing their own exploit tool that targets unpatched Exchange email servers.
The attack is most likely coming as a follow-up to the news about the hack on Microsoft’s Exchange email software from the last week.
According to security researchers, the attacks of DearCry ransomware have seen a spike since 9th of March. A number of victims have reported the threat by publishing copies of the ransomware notification online after the malware has encrypted their system.
As per the reports, the attacks of DearCry are small in scale but victims of the threat have been registered all across the globe, including in Canada, United States, Denmark, Austria, and Australia. There are no reports of many large entities being hit and most of the compromised companies are small.
Currently, Microsoft Defender detects DearCry as Ransom:Win32/DoejoCrypt.A. As soon as the ransomware attacks the target server, it immediately encrypts the files on it and adds a .CRYPT extension at the end of each of them.
The initial analysis of the threat shows no indication for weaknesses or mistakes in the code that could be abused to break the applied encryption and decrypt the sealed files without paying a ransom.
Multiple sources share the opinion that the ransomware has no relation to any large-scale threat actor and most likely has been put together quickly in an attempt to exploit the published Microsoft Exchange flaws.
To limit the scale of the threat and the possibility of future abuse, security experts have been warning Exchange server users to patch their systems without a delay as cybercriminal gangs are quick to take advantage of known security holes by employing various types of malware in their criminal schemes.