The Canadian Center for Cybersecurity warned organizations to update the popular corporate email system Microsoft Exchange Server. Since early March 2021, the system has been a target for cybercriminals. Hackers now exploit newly discovered in the system to drop ransomware, and thousands of email servers now face the threat of destructive attacks.
Microsoft warned that it had detected an advanced file-encrypting malware known as DearCry or DeejoCrypt. According to the tech giant, the malware uses four vulnerabilities linked to Hafnium, a China-backed hacking team. Combined, these vulnerabilities grant hackers full control of vulnerable systems.
The Canadian Center for Cybersecurity advised businesses to patch their Microsoft exchange program.
The Microsoft Exchange Server has been a valuable target for malicious individuals that want to penetrate networks. The email server software has loopholes that could allow hackers to complete different operations using the same in-built scripts and tools that admins rely on for maintenance.
DearCry exploits the same vulnerabilities as Hafnium. The new ransomware variant creates encrypted copies of the accessed files then deletes the original documents. Its encryption follows the public-key cryptosystem that’s embedded within the ransomware binary. This means it can encrypt your files without contacting the hacker’s command and control server.
Even if you set up your exchange servers to only allow web-based access, they can still be encrypted. You need the decryption key to reverse this, but it’s only the hacker who has it.
The ransomware starts with a non-native service known as “msupdate” after execution. This will later terminate once the attack has finalized the encryption routine within the targeted systems. The ransomware goes further to enumerate every logical file in your Windows OS except CD-ROM to rely on an RSA public key to encrypt your data.
From there, the ransomware adds the. CRYPT extension to the names of all affected files. It also drops the “readme.txt” on the system disk’s root folder and all folders that have the word “desktop.”
The most significant difference with other ransomware strains is that it doesn’t offer a bitcoin wallet address or ransom demand. It merely instructs the victim to contact a provided email address and send along a hash for identification.
The ransomware has ultimately been observed to use both RSA-2048 and AES-256 for file encryption and insertion of the DearCry! String into file headers. Notably, the threat can encrypt files using 78 file extensions.
If DearCry hits you, the attackers will have successfully used the Hafnium-established persistence. You have to block the ransomware and neutralize the attack before the hackers go further.
A multilayered approach to detection, response, and prevention can surface the attack before your data is encrypted or compromised. The following techniques can help you defeat this new threat that continues to beat advanced and traditional security solutions:
The Canadian Center for Cybersecurity notes that most organizations still haven’t implemented the latest Microsoft Exchange Server patches. If you’re among this demographic, you must make the right move because the relentless hackers currently exploit small and established organizations.
OnServe is here to keep all your business tech needs under control, allowing you to focus on what you’re more passionate about, your business. Contact us to understand our comprehensive framework and services.