Cybercriminals are now targeting Microsoft Exchange servers with a new one ransomware called "DEARCRY“. The attackers install the ransomware after have first compromised the servers using the recently discovered ProxyLogon vulnerabilities.
When Microsoft revealed that cybercriminals were hacking into Microsoft Exchange servers using new zero-day vulnerabilities, many feared that attackers would soon begin exploiting the vulnerabilities to launch ransomware attacks.
Apparently, this fear came true, since now the attackers are targeting Microsoft Exchange servers with the DearCry ransomware.
According to Michael Gillespie, the creator of the ransomware recognition site, ID-ransomware, In the last three days, various users have started reporting that they have fallen victim to a new ransomware.
Gillespie found that almost all of the reports were related to Microsoft Exchange servers.
Microsoft has confirmed that DearCry ransomware is being used in attacks on Microsoft Exchange servers, exploiting ProxyLogon vulnerabilities.
The MalwareHunterTeam was able to find three samples of this ransomware in VirusTotal. All are MingW-compiled executables.
According to Vitali Kremez of Advanced Intel, DearCry ransomware initially tries to close a Windows service called "msupdate". The function of this service is not known, but it is probably not a legitimate Windows service.
Then the ransomware starts to encrypts files at the computer. When encrypting files, attach the .CRYPT extension.
Gillespie told BleepingComputer that the ransomware uses AES-256 + RSA-2048 to encrypt the files.
Once the computer encryption is complete, ransomware creates a ransom note called "readme.txt" on the desktop. Windows. The note contains two e-mail addresses for attackers and a unique hash, which according to Gillespie, is an MD4 hash of the RSA public key.
One of the victims stated that the hackers demanded $ 16.000 from him.
To date, no ransomware "vulnerabilities" have been found that would allow users of Microsoft Exchange servers to retrieve their data without paying a ransom.
Update the systems immediately!
As we said above, its installation ransomware is made possible by exploiting ProxyLogon vulnerabilities. Therefore, unpatched Microsoft Exchange servers are at risk.
Useful information: Microsoft fixes Exchange zero-day errors
According to new data Palo Alto Networks, tens of thousands of Microsoft Exchange servers have been updated in the last three days. However, the company claims that There are still about 80.000 servers that have not implemented the latest security updates.
All organizations should apply the patches as soon as possible to avoid falling victim to DearCry ransomware and other attacks.
Source: Bleeping Computer