DearCry Ransomware and the HAFNIUM Attacks – What You Need to Know

The widespread HAFNIUM attacks were just the beginning of the problems stemming from multiple vulnerabilities in Microsoft’s Exchange offering that were recently disclosed. According to Bleeping Computer, users began submitting new ransomware attack reports to the ID-Ransomware identification site on March 9 that site creator Michael Gillespie later determined had likely originated on Microsoft Exchange servers.

That same day, a user created a forum topic on Bleeping Computer’s site stating that attackers were abusing residual webshells leftover from the recent HAFNIUM attacks that targeted vulnerabilities in Microsoft Exchange servers to install a new ransomware variant.

Two days later, Phillip Misner, security principal and group manager at Microsoft, confirmed in a tweet that attackers were using elements of the HAFNIUM attacks to further target impacted organizations with the new ransomware dubbed Ransom:Win32/DoejoCrypt.A, also known as DearCry, which was observed to have impacted victims in the United States, Germany, Indonesia and elsewhere.

The DearCry Ransomware Attacks

Analysis of DearCry revealed that the ransomware ran a non-native Windows service called “msupdate” upon execution, then this service was terminated after the attack completed the encryption routine for the targeted systems. Additionally, DearCry enumerated all logical drives except CD-ROM on the Windows operating system so that it could use an RSA public key to encrypt the victim’s information.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Ultimately, it was observed that the ransomware used both AES-256 and RSA-2048 to encrypt victim files and to insert the string ‘DearCry!’ into the file headers. The threat was capable of encrypting files with 78 different file extensions, including:

.TIF, .TIFF, .PDF, .XLS, .XLSX, .XLTM, .PS, .PPS, .PPT, .PPTX, .DOC, .DOCX, .LOG, .MSG, .RTF, .TEX, .TXT, .CAD, .WPS, .EML, .INI, .CSS, .HTM, .HTML, .XHTML, .JS, .JSP, .PHP, .KEYCHAIN, .PEM, .SQL, .APK, .APP, .BAT, .CGI, .ASPX, .CER, .CFM, .C, .CPP, .GO, .CONFIG, .PL, .PY, .DWG, .XML, .JPG, .BMP, .PNG, .EXE, .DLL, .CAD, .AVI, .H, .CSV, .DAT, .ISO, .PST, .PGD, .7Z, .RAR, .ZIP, .ZIPX, .TAR, .PDB, .BIN, .DB, .MDB, .MDF, .BAK, .LOG, .EDB, .STM, .DBF, .ORA, .GPG, .EDB, .MFS

When it finished, the ransomware added the .CRYPT extension to all infected file names. It also dropped a ransom note called “readme.txt” into every folder containing the word “desktop” and into the system disk’s root folder.

Unlike other ransomware strains, the ransom note did not include a ransom demand or a bitcoin wallet address where victims could send payment. It merely instructed the victim to contact one of two provided email addresses and to send along a hash as a victim identifier.

Defending Against DearCry Ransomware

Microsoft urged customers to use this script to scan for HAFNIUM’s Indicators of Compromise (IOCs) and to use these security updates to patch their affected systems. It quickly became apparent to tens of thousands of impacted organizations that patching alone would not be enough to protect systems from further intrusions, including those leveraging the DearCry ransomware.

The Cybereason Defense Platform provides multi-layer protection against threats like the HAFNIUM attacks and DearCry ransomware. Cybereason EDR and XDR detect the post-exploitation techniques including the use of PowerCat, lsass process dumping, and the Nishang Invoke-PowershellTcpOneLine reverse shell.

In addition, the Cybereason NGAV stack prevents the execution of malware and ransomware payloads, the credential theft attempts at later stages of the HAFNIUM attack, as well as the most recent attacks from other threat actors leveraging the DearCry ransomware.

Organizations need a multi-layered approach to prevention, detection and response that can surface a ransomware attack early, before any data is compromised or encrypted. Cybereason delivers the multi-layered prevention, detection and response required to defeat ransomware attacks that continue to evade traditional and nextgen security solutions:

• Endpoint Controls: Cybereason hardens endpoints against attacks by managing security policies, maintaining device controls, implementing personal firewalls and enforcing whole-disk encryption across a range of device types, both fixed and mobile.

• Intelligence Based-Antivirus: Cybereason block known ransomware variants leveraging an ever-growing pool of threat intelligence based on previously detected attacks.

• NextGen Antivirus: Cybereason NGAV is powered by machine learning and recognizes malicious components in code to block unknown ransomware variants prior to execution.

• Fileless Ransomware Protection: Cybereason disrupts attacks utilizing fileless and MBR-based ransomware that traditional antivirus tools miss.

• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

• Anti-Ransomware and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.

Cybereason Defenders at the Ready

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. If your organization is being impacted by these recent attacks, or if you have concerns about the potential your organization has been compromised, contact us immediately for containment by our expert Incident Response team.

Cybereason can also help your security team hunt for and eliminate unidentified threats through a custom Compromise Assessment. In addition, we can work with your team to accelerate your security operations through our Managed Detection and Response that was recently named a Strong Performer in the Forrester Wave™: Managed Detection and Response 2021 report.

Contact a Cybereason defender today to learn how your organization can experience the deep context and correlations delivered by the Cybereason Malop to achieve an operation-centric approach and a future-ready security posture.