Hafnium Microsoft Exchange Hack: Was the DearCry ransomware prototype entered? Sophos experts have investigated the ransomware and discovered similarities with WannaCry.
Since the Microsoft Exchange vulnerabilities became known last week, the focus has been on cyberattacks that exploit this vulnerability. Above all, the ransomware "DearCry" has made an inglorious name for itself, which at first glance reminds of a prominent predecessor called "WannaCry". Sophos Labs took a closer look at the new malware and found a lot of evidence that it could be an as yet unknown ransomware prototype.
DearCry: Hybrid approach ransomware
First of all, when analyzing various DearCry examples, it is noticeable that the ransomware appears to be pursuing a hybrid approach. The only other ransomware known to SophosLabs that uses this approach is WannaCry, which spreads automatically and is not handled by humans like DearCry. The similarities, however, are amazing: Both first create an encrypted copy of the attacked file (Copy Encryption) and then overwrite the original file to prevent recovery (In Place Encryption). While the victims may be able to recover some data with Copy Encryption, In Place Encryption ensures that the data cannot be recovered using recovery tools. Notorious human-operated ransomware outlets like Ryuk, REvil, BitPaymer, Maze, or Clop, for example, only use direct encryption.
DearCry and WannaCry in comparison
There are a number of other similarities between DearCry and WannaCry including the names and the header that is added to the encrypted files. These hints do not automatically mean a connection to the WannaCry developers, and the capabilities of DearCry differ considerably from WannaCry. The new ransomware does not use a command and control server, has an embedded RSA encryption key, does not display a user interface with a timer, and, most importantly, does not spread to other computers on the network.
"We found a number of other unusual DearCry features, including the fact that the ransomware appeared to be creating new binaries for new victims," said Mark Loman, director, engineering technology office at Sophos. “The list of file types attacked has also evolved from victim to victim. Our analysis also shows that the code does not contain the kind of anti-detection features that we would normally expect from ransomware, such as compressed files or obfuscation techniques. These and other signs suggest that DearCry may be a prototype that was deployed faster than planned to exploit the current vulnerabilities in Microsoft Exchange servers. "
Install Exchange patches as soon as possible
Here, too, it should be pointed out once again that companies should install the latest Microsoft patches as soon as possible in order to prevent criminal exploitation of their Exchange server. If this is not possible, the server should be disconnected from the Internet or closely monitored by a rapid response team. In addition, by applying the patch, not everyone is in butter, but a forensic investigation must ensure that malware has not already entered the system via the hole and is waiting to be deployed.
More on this at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.