Unpatched Exchange Servers hit with ransomware
Microsoft Exchange Servers that have not been upgraded with the latest security patches are getting hit with "DearCry" ransomware, Microsoft warned.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry,” Microsoft Security Intelligence tweeted March 11.
This new threat takes advantage of web shells or backdoors installed by the Hafnium group that exploit four zero-day Exchange Server flaws. A webshell is a script that can be uploaded to a compromised Microsoft Exchange Server to enable remote administration of the machine, according to the Cybersecurity and Infrastructure Security Agency. The attack was initially thought to be designed for widespread government and industry espionage campaigns, but now attackers are now using those web shells to install ransomware.
The new development was first detected and reported by security researcher Michael Gillespie after he noticed a “sudden swarm” of submissions to his ID-Ransomware website, according to a Threatpost article. After analyzing the reports, Gillespie realized the attacks were hitting Exchange servers.
The DearCry ransomware uses AES-256 and RSA-2048 to encrypt victim files and changes file headers to include the string ‘DEARCRY!’ A ransomware note and a hash are displayed on the victim’s desktop, along with an email address ..
Support the originator by clicking the read the rest link below.
