‘Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers,’ Microsoft Security Program Manager Phillip Misner tweeted Thursday night.
Adversaries are deploying DearCry ransomware on victim systems after hacking into on-premise Microsoft Exchange servers that remain unpatched, Microsoft acknowledged late Thursday.
“Microsoft observed a new family of human operated ransomware attack customers,” Microsoft Security Program Manager Phillip Misner tweeted at 9:19 p.m. ET Thursday. “Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”
Misner’s tweet came less than two hours after BleepingComputer reported that threat actors were taking advantage of new zero-day ProxyLogin vulnerabilities in Microsoft Exchange servers to install the DearCry ransomware. Microsoft Defender customers who receive automatic updates are now protected against this ransomware without having to take any action, according to Microsoft Security Intelligence.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft Security Intelligence tweeted to 11:53 p.m. ET Thursday. “Microsoft protects against this threat known as … DearCry.”
Microsoft directed on-premises Exchange Server customers to prioritize security updates released this week for customers who are unable to update their Exchange environment to a version where Microsoft already has patches available. There are still approximately 80,000 older servers that cannot directly apply Microsoft’s recent security updates, Palo Alto Networks told BleepingComputer.
The DearCry ransomware attacks were first brought to the public’s attention late Thursday afternoon following a tweet from ID-Ransomware site creator Michael Gillespie. “ID Ransomware is getting sudden swarm of submissions with “.CRYPT” and filemarker ”DEARCRY!” coming from IPs of Exchange servers from US, CA [Canada], AU [Australia] on quick look,” Gillespie tweeted at 4:31 p.m. ET Thursday.
When launched, the DearCry ransomware will attempt to shut down a Windows service named ‘msupdate,’ which doesn’t appear to be a legitimate Windows service, Advanced Intelligence CEO Vitali Kremez told BleepingComputer. For at least one of the victims, the DearCry ransomware operators demanded a ransom of $16,000, according to BleepingComputer.
When done encrypting the computer, BleepingComputer reported that DearCry creates a simple ransom note named ‘readme.txt’ that contains two email addresses for the ransomware operators as well as a unique hash. BleepingComputer said the ransomware doesn’t appear to have any weaknesses that would allow victims to recover their files for free.
More ransomware groups are expected to exploit the Microsoft Exchange vulnerabilities in the near-term, according to John Hultquist, vice president of analysis for Mandiant Threat Intelligence.
“Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails,” Hultquist said in a statement. “Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted.”
This Microsoft Exchange hack has taken on increased urgency as of late, with ESET saying Wednesday that at least 10 different advanced hacking groups are taking advantage of the zero-day vulnerabilities. Multiple hacking groups gained access to the details of the vulnerabilities before Microsoft released its patch, meaning the possibility that they reverse engineered Microsoft updates can be discarded.
Microsoft is looking into whether a leak may have triggered mass Exchange server compromises ahead of its patch release, two sources with knowledge of the company’s response told Bloomberg Friday. On Feb. 26, four days before Microsoft released its patches, attackers began infiltrating Microsoft Exchange en masse as if they knew their window was about to close, Proofpoint’s Ryan Kalember told Bloomberg.
If there was a leak, Bloomberg reported it may have come from independent researchers or from one of the company’s security or government partners. The leak either could have been malicious or alternatively could have been part of a separate security breach, sources told Bloomberg.