FortiGuard Labs is aware of multiple reports of a new malware campaign where threat actors are leveraging known vulnerabilities in Microsoft Exchange Server to install ransomware. The ransomware has been identified as DoejoCrypt/DearCry.
The vulnerabilities exploited are related to the recent out of band release by Microsoft on March 2nd, which culminated in the release of patches for four CVE's, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The attack chain targets a Microsoft Exchange server that is able to receive untrusted connections from an external source. From there, the threat actors are able to install malware on the victim environment for further compromise. For further details about the Exchange Server vulnerability, please refer to our Blog and Threat Signal respectively.
What are the Technical Details of this Threat?
The ransomware uses AES-256 encryption during the encryption routine to encrypt the files and then uses an RSA-2048 key to encrypt the AES key for further damage. Files will have the string DEARCRY! found at the beginning of the file header added during encryption.
The ransomware will target the following file extensions for encryption:
Once all file types have been located, the files will be encrypted with the .CRYPT extension.
Are there Reports of Free Decryption Tools Available?
No. Unfortunately there have not been any reports of decryption tools available at this time within the security community.
What is the Status of Coverage?
Customers running current (AV) definitions are protected from DoeJoCrypt/DearCry variants by the following:
Testing by FortiGuard Labs shows that default FortiEDR and FortiXDR deployments detect and block DoejoCrypt/DearCry ransomware activity out of the box.
Is this State Sponsored?
Unlikely. There are no known indicators that this is related to the threat actor known as HAFNIUM. Initial assessments appear to be unrelated and unknown threat actors at this time.
How Serious of an Issue is This?
How Widespread is this Attack?
Are there Patches Available for Affected Exchange Servers?
Yes. Out of Band patches were available from Microsoft for download on March 2nd, 2021. It is recommended that all available patches for affected Microsoft Exchange servers are applied immediately, if feasible.
Any Other Suggested Mitigation?
According to Microsoft, to protect against this attack it is recommended to restrict untrusted connections to Exchange servers. An alternate recommendation is to set up a VPN to separate the Exchange server from external access. Using either of these mitigation recommendations will only protect against the initial portion of the attack. Other portions of the chain still can be triggered if an attacker already has access or can convince an administrator via social engineering methods to open a malicious file. it is recommended to prioritize installing the available patches on Exchange Servers immediately.
Due to the ease of disruption and potential for damage to daily operations, reputation, and unwanted release of personally identifiable information (PII), etc., it is important to keep all AV and IPS signatures up to date. It is also important to ensure that all known vendor vulnerabilities within an organization are addressed, and updated to protect against attackers establishing a foothold within a network.
Also - organizations are encouraged to conduct ongoing training sessions to educate and inform personnel about the latest phishing/spearphishing attacks. They also need to encourage employees to never open attachments from someone they don't know, and to always treat emails from unrecognized/untrusted senders with caution. Since it has been reported that various phishing and spearphishing attacks have been delivered via social engineering distribution mechanisms, it is crucial that end users within an organization be made aware of the various types of attacks being delivered. This can be accomplished through regular training sessions and impromptu tests using predetermined templates by an organizations' internal security department. Simple user awareness training on how to spot emails with malicious attachments or links could also help prevent initial access into the network.
Following initial compromise of the MS Exchange system, the attacker can execute the primary objective. From monitoring these incidents, a new family of ransomware has been detected. The threat is known as DoejoCrypt or DearCry.