Currently, there are over 80,000 servers exposed to DearCry ransomware – Microsoft has urged customers to install patches issued last week.
Just last week Microsoft revealed that its Exchange Email server was targeted by Chinese hackers after which 30,000 organizations across the globe are at risk. This includes European Banking Authority (EBA) who has already acknowledged that hackers were in its email system.
Now, Microsoft has identified threat actors dropping DearCry ransomware on systems that are not updated to the latest version meaning their Exchange Email server is unpatched and still vulnerable to attacks.
Microsoft Alerts About DearCry Ransomware Strain
Microsoft has issued an alert to warn Exchange customers about a new ransomware strain dubbed DearCry. According to a tweet from Microsoft’s Security Intelligence team hackers are targeting on-premises unpatched Exchange servers to deploy DearCry ransomware.
According to Microsoft, hackers are specifically targeting servers still exposed to the four vulnerabilities that Chinese state-sponsored hackers have been exploiting. The tweet is as follows:
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry.”
The previously detected Hafnium server hacks were espionage-motivated. ESET, conversely, reported that at least ten state-sponsored hacking groups were trying to exploit unpatched Exchange server flaws.
These include the Winniti Group, Tick, Calypso, LuckyMouse (APT27), intending to compromise Exchange servers. In contrast, the newly discovered campaign is clearly driven by criminal intent.
Exchange Server Users Apply Patches
Microsoft also tweeted to urge customers to apply the emergency patches it released last week, affecting its on-premises Exchange email servers.
Microsoft researcher Phillip Misner tweeted that cybercriminals are trying to leverage the heavily exploited ProxyLogon Exchange Server flaws to install the DearCry ransomware strain.
“Human-operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers,” Misner tweeted.
The company tweeted that Microsoft Defender customers who have enabled automatic updates don’t need to take any action, but on-premises Exchange Server customers must immediately install security updates.
Tweet from Microsoft
Microsoft Defender customers utilizing automatic updates do not need to take additional action to receive these protections. On-premises Exchange Server customers should prioritize the security updates outlined here: https://t.co/DL1XWnitYO
— Microsoft Threat Intelligence (@MsftSecIntel) March 12, 2021
About 80,000 Servers are Still Unpatched
The DearCry ransomware prevents Windows Update from fixing the vulnerability and can encrypt all the files and delivers a ransom note on the victim’s desktop. Microsoft released a patch around ten days back.
However, according to Palo Alto Networks’ Chief Technology Officer, Matt Kraning, still 80,000 old servers are unpatched. This is a high rate for any system that requires a security patch and is as widely deployed as Microsoft Exchange.
“Still, we urge organizations running all versions of Exchange to assume they were compromised before they patched their systems because we know attackers were exploiting these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2,” Kraning added.