FortiGuard Labs is currently tracking multiple reports of a new ransomware campaign, known as DearCry. This malware campaign targets the same four Microsoft Exchange Server vulnerabilities we reported on last week that were exploited by a number of threat actors, including the Chinese nation-stare group known as Hafnium.
The four vulnerabilities being targeted by DoejoCrypt/DearCry are CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The attack chain targets a Microsoft Exchange server able to receive untrusted connections from an external source. Once installed, the DearCry ransomware creates encrypted copies of the attacked files and deletes the originals.
DearCry Ransomware Details
The DearCry ransomware uses AES-256 encryption during its encryption routine to encrypt targeted files and then uses an RSA-2048 key to encrypt the AES key for further damage. Complicating things further, the public-key cryptosystem used to encrypt these files has its public encryption key embedded in the ransomware binary, which means that DearCry does not need to contact the attacker’s command-and-control server to encrypt files on the server. As a result, even Exchange Servers setup to only allow internet access to the Exchange services will still become encrypted. Without the decryption key, which is held by the attackers, decryption is not possible.
The ransomware targets files with the following extensions for encryption: .7Z, .APK, .APP, .ASPX, .AVI, .BAK, .BAT, .BIN, .BMP, .C, .CAD, .CER, .CFM, .CGI, .CONFIG, .CPP, .CSS, .CSV, .DAT, .DB, .DBF, .DLL, .DOC, .DOCX, .DWG, .EDB, .EDB, .EML, .EXE, .GO, .GPG, .H, .HTM, .HTML, .INI, .ISO, .JPG, .JS, .JSP, .KEYCHAIN, .LOG, .MDB, .MDF, .MFS, .MSG, .ORA, .PDB, .PDF, .PEM, .PGD, .PHP, .PL, .PNG, .PPS, .PPT, .PPTX, .PS, .PST, .PY, .RAR, .RTF, .SQL, .STM, .TAR, .TEX, .TIF, .TIFF, .TXT, .WPS, .XHTML, .XLS, .XLSX, .XLTM, .XML, .ZIP, .ZIPX
Once all targeted file types have been located, the files are encrypted and tagged with a .CRYPT extension. These encrypted files also have the string DEARCRY! added to the beginning of the file header during encryption.
Fortinet Protections for DearCry Ransomware
FortiGate AV
Customers running current FortiGate AV definitions are protected from DoejoCrypt/DearCry ransomware variants with the following:
W32/Filecoder.OGE!tr
PossibleThreat.ARN.H
W32/Encoder.OGE!tr.ransom
W32/Encoder!tr
FortiGate IPS
The following IPS signatures, released on March 3-4, 2021, stop ransomware like DearCry from exploiting the four Microsoft Exchange Server vulnerabilities listed above. All Fortinet customers with an active subscription and current update are currently protected.
MS.Exchange.Server.ProxyRequestHandler.Remote.Code.Execution
MS.Exchange.Server.UM.Core.Remote.Code.Execution
MS.Exchange.Server.CVE-2021-27065.Remote.Code.Execution
MS.Exchange.Server.CVE-2021-26858.Remote.Code.Execution
FortiEDR/FortiXDR
Testing by FortiGuard Labs shows that default FortiEDR and FortiXDR deployments detect and block DoejoCrypt/DearCry ransomware activity out of the box.
FortiGuard Labs
For further details about the DearCry ransomware attack, please refer to the recent Threat Signal, Campaigns Leveraging Recent Microsoft Exchange Server Vulnerabilities to Install DoejoCrypt/DearCry Ransomware Observed in the Wild, posted on March 12th. And for additional details on the Exchange Server vulnerabilities being targeted by DearCry, please refer to the Threat Signal, Out-of-Band Patches Released for Active Exploitation of Microsoft Exchange Server, posted on March 3rd.
FortiGuard Labs will continue to monitor this issue and provide additional updates should new information or proof of concept code related to this event become available.
Microsoft Exchange Mitigations
Out-of-band patches were made available from Microsoft for download on March 2nd, 2021. It is recommended that all available patches for affected Microsoft Exchange servers are applied immediately, if feasible.
Microsoft has released critical information about these vulnerabilities. They have also developed two new threat detection tools for these attacks. The first, Test-ProxyLogon.ps1, is designed to scan for known indicators of compromise (IOC). The second, known as ExchangeMitigations.ps1, scans for web shells, which are scripts that grant threat actors remote access and, in some cases, complete control of a compromised server. This script automates all four of the commands found in the Microsoft Hafnium blog post.
Other Mitigations
In addition to immediately installing the available patches on Exchange Servers, Microsoft recommends restricting untrusted connections or setting up a VPN to separate the Exchange server from external access. Using this mitigation will only protect against the initial portion of the attack, however. Other portions of the chain still can be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. In the case of DearCry, no external connection is required to begin encrypting files once the malware has been loaded.
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.