DearCry, a new family of ransomware, which was recently discovered may not be very sophisticated says a statement from Mandiant based on their initial analysis of the DOJOCRYPT. Mandiant statement comes after Microsoft Security Intelligence recently reported discovering and blocking the new family of ransomware being used after an initial compromise of unpatched on-premises exchange servers.
However, this issue may have only impacted those running Exchange Server 2010, 2013, 2016, or 2019. “Microsoft Defender customers utilizing automatic updates do not need to take additional action to receive these protections. On-premises Exchange Server customers should prioritize the security updates,” said Microsoft Security Intelligence.
Although the origin of the attack and the perpetrators of DearCry are yet to be traced, Mandiant says that the ransomware lacks the functionality that is expected to see in more complex ransomware such as anti-analysis capabilities and the ability to stop anti-malware services and delete volume shadow copies.
In addition to that, John Hultquist, VP of Analysis, Mandiant Threat Intelligence, said: “We are anticipating more exploitation of the exchange vulnerabilities by ransomware actors in the near term. Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails. Ransomware operators can monetize their access by encrypting emails or threatening to leak them, a tactic they have recently adopted. This attack vector may be particularly attractive to ransomware operators because it is an especially efficient means of gaining domain admin access. That access enables them to deploy encryption across the enterprise. In cases where organizations are unpatched, these vulnerabilities will provide criminals a faster path to success. Unfortunately, many of the remaining vulnerable organizations will be small and medium sized businesses, state and local government, and schools, which will struggle to keep up with the deluge of actors leveraging this increasingly available exploit.”
Microsoft Security Intelligence in its latest tweet says that it is now providing IT Pros and incident response teams with updated tools and investigation guidance to help organizations identify, remediate, and defend against the attacks associated with the Exchange Server vulnerabilities.