Microsoft released a patch to mitigate four critical vulnerabilities on microsoft exchange servers in early March 2021. From this moment, criminals exploited these flaws in the wild using many threats, including DearCry, a piece of ransomware variant designed to take advantage of vulnerable Microsoft Exchange servers.
The new ransomware for Microsoft Exchange servers globally takes advantage of the ProxyLogon vulnerabilities and the exploits are then published on several resources on the internet.
According to Michael Gillespie, owner of the ID-Ransomware platform, a new ransomware note and encrypted files were submitted on March 9 into the online platform, and after an analysis of the files, he discovered that users submitted almost all of the files from Microsoft Exchange servers.
Some days after, Philip Misner, a researcher from Microsoft, confirmed on Twitter that the DearCry was installed in human-operated attacks using the recent Microsoft Exchange exploits.
Figure 1: DearCry ransomware related to the Microsoft Exchange vulnerabilities on 12th March 2021.
DearCry and what it does
Looking at the samples of the DearCry ransomware, it’s interesting to highlight the timestamp of the compiler and debugger “Mar 09,” the day the binary was compiled and the same date mentioned by Michael Gillespie