In the wake of the ongoing rush to patch the four vulnerabilities affecting Microsoft Exchange servers, a new Ransomware called DearCry has begun to exploit those vulnerabilities. Since Microsoft confirmed its existence on March 11th under the name DoejoCrypt, the number of reported ransomware incidents affecting Exchange Servers with DearCry is increasing. Some of the initial actions taken by DearCryduring the initial execution of the ransomware include an attempt to disable a service with the name “msupdate.” This could be a poor attempt to prevent patching (windows update service is called wuauserv) or an attempt to avoid competition with other malware families. In either case, the reason is still unknown, but more will likely be known about DearCry as the days carry on.
Analyst Notes
Since Wednesday, more proof-of-concept exploits have been published. With that in mind, adversaries have also had more time and resources to develop and opportunistically exploit targets which continues to press the urgency of patching. With Exchange being one of the largest email servers to date, nothing at this scale can be easy or straightforward. Nevertheless, the problem is growing. Organizations need to continue to hunt using whatever resources and logs are available, build detections with those same resources, and call out for help if systems have been affected by a qualified IR firm
