DearCry Ransomware and the HAFNIUM Attacks – What You Need to Know

The widespread HAFNIUM attacks were just the beginning of the problems stemming from multiple vulnerabilities in Microsoft’s Exchange offering that were recently disclosed. According to Bleeping Computer, users began submitting new ransomware attack reports to the ID-Ransomware identification site on March 9 that site creator Michael Gillespie later determined had likely originated on Microsoft Exchange servers.

That same day, a user created a forum topic on Bleeping Computer’s site stating that attackers were abusing residual webshells leftover from the recent HAFNIUM attacks that targeted vulnerabilities in Microsoft Exchange servers to install a new ransomware variant.

Two days later, Phillip Misner, security principal and group manager at Microsoft, confirmed in a tweet that attackers were using elements of the HAFNIUM attacks to further target impacted organizations with the new ransomware dubbed Ransom:Win32/DoejoCrypt.A, also known as DearCry, which was observed to have impacted victims in the United States, Germany, Indonesia and elsewhere.

The DearCry Ransomware Attacks

Analysis of DearCry revealed that the ransomware ran a non-native Windows service called “msupdate” upon execution, then this service was terminated after the attack completed the encryption routine for the targeted systems. Additionally, DearCry enumerated all logical drives except CD-ROM on the Windows operating system so that it could use an RSA public key to encrypt the victim’s information.

Ultimately, it was observed that the ransomware used both AES-256 and RSA-2048 to encrypt victim files and to insert the string ‘DearCry!’ into the file headers. The threat was capable of encrypting files with 78 different file extensions, including:

.TIF, .TIFF, .PDF, .XLS, .XLSX, .XLTM, .PS, .PPS, .PPT, .PPTX, .DOC, .DOCX, .LOG, .MSG, .RTF, .TEX, .TXT, .CAD, .WPS, .EML, .INI, .CSS, .HTM, .HTML, .XHTML, .JS, .JSP, .PHP, .KEYCHAIN, .PEM, .SQL, .APK, .APP, .BAT, .CGI, .ASPX, .CER, .CFM, .C, .CPP, .GO, .CONFIG, .PL, .PY, .DWG, .XML, .JPG, .BMP, .PNG, .EXE, .DLL, .CAD, .AVI, .H, .CSV, .DAT, .ISO, .PST, .PGD, .7Z, .RAR, .ZIP, .ZIPX, .TAR, .PDB, .BIN, .DB, .MDB, .MDF, .BAK, .LOG, .EDB, .STM, .DBF, .ORA, .GPG, .EDB, .MFS

When it finished, the ransomware added the .CRYPT extension to all infected file names. It also dropped a ransom note called “readme.txt” into every folder containing the word “desktop” and into the system disk’s root folder.

Unlike other ransomware strains, the ransom note did not include a ransom demand or a bitcoin wallet address where victims could send payment. It merely instructed the victim to contact one of two provided email addresses and to send along a hash as a victim identifier.

Defending Against DearCry Ransomware

Microsoft urged customers to use this script to scan for HAFNIUM’s Indicators of Compromise (IOCs) and to use these security updates to patch their affected systems. It quickly became apparent to tens of thousands of impacted organizations that patching alone would not be enough to protect systems from further intrusions, including those leveraging the DearCry ransomware.

The Cybereason Defense Platform provides multi-layer protection against threats like the HAFNIUM attacks and DearCry ransomware. Cybereason EDR and XDR detect the post-exploitation techniques including the use of PowerCat, lsass process dumping, and the Nishang Invoke-PowershellTcpOneLine reverse shell.

In addition, the Cybereason NGAV stack prevents the execution of malware and ransomware payloads, the credential theft attempts at later stages of the HAFNIUM attack, as well as the most recent attacks from other threat actors leveraging the DearCry ransomware.

Organizations need a multi-layered approach to prevention, detection and response that can surface a ransomware attack early, before any data is compromised or encrypted. Cybereason delivers the multi-layered prevention, detection and response required to defeat ransomware attacks that continue to evade traditional and NexGen security solutions.

Cybereason Defenders at the Ready

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. If your organization is being impacted by these recent attacks, or if you have concerns about the potential your organization has been compromised, contact us immediately for containment by our expert Incident Response team.

Cybereason can also help your security team hunt for and eliminate unidentified threats through a custom Compromise Assessment. In addition, we can work with your team to accelerate your security operations through our Managed Detection and Response that was recently named a Strong Performer in the Forrester Wave™: Managed Detection and Response 2021 report.

Contact a Cybereason defender today to learn how your organization can experience the deep context and correlations delivered by the Cybereason Malop to achieve an operation-centric approach and a future-ready security posture.

Anthony M. Freed
About the Author

Anthony M. Freed

Anthony M. Freed is the Senior Director of Corporate Communications for Cybereason and was formerly a security journalist who authored feature articles, interviews and investigative reports which have been sourced and cited by dozens of major media outlets. Anthony also previously worked as a consultant to senior members of product development, secondary and capital markets from the largest financial institutions in the country, and he had a front row seat to the bursting of the credit bubble.

All Posts by Anthony M. Freed