Attivo Networks Blogs

Stop DearCry Ransomware Exploits of Hafnium

Reading Time: 2 minutes  |  Published: March 16, 2021 in Blogs, Ransomware

Author: Venu Vissamsetty, V.P Security Research, Attivo Networks –The recent Hafnium attacks drew attention to several Microsoft Exchange Server vulnerabilities, but other groups are taking advantage of these to launch ransomware attacks. Attackers are targeting enterprises exploiting the four recent Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to deploy the DearCry ransomware. Post exploitation, attackers are moving inside the network by stealing privileged credentials from Active Directory to increase the number of systems where they deploy ransomware.

Once installed, the DearCry ransomware uses AES-256 and RSA-2048 to encrypt files. The DearCry ransomware has been targeting and encrypting files with the following file extensions:

.TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML  .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C .CPP .GO .CONFIG .PL .PY .DWG .XML .JPG .BMP .PNG .EXE .DLL .CAD .AVI .H.CSV .DAT .ISO .PST .PGD  .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA .GPG .EDB .MFS

Source: https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/

Protecting Data with the Attivo DataCloak function

Attivo customers can enable the ThreatDefend® platform’s Anti-Ransomware DataCloak function to protect against ransomware encrypting files, including the DearCry variant.
The DataCloak function hides and denies access to local files, folders, removable storage, network or cloud shares, and local administrator accounts. By denying attackers the ability to see or exploit critical data, organizations can disrupt their discovery or lateral movement activities and limit the damage from ransomware attacks.
Enabling the Anti-Ransomware DataCloaking function protects sensitive or essential files against ransomware attacks by configuring the Mode to “Alert and Protect” and the Protection Level to “Hide.” Any configured files and folders become invisible to malicious ransomware processes:

1.Configure folders to protect and specify the file extensions to hide.

2.Configure Cloud Mapped Storage (OneDrive, Box& DropBox) to protect these locations.

3.Select the “Protect Network Shares” option to hide all SMB network mapped shares from ransomware

The image below shows an example of the ThreatDefend platform’s Anti-Ransomware function as configured to protect files in the “Desktop,” “Documents,” and “Downloads” folders.

ThreatDefend_Anti_Ransomware_Function

The DearCry ransomware will encrypt files in all other folders except the above-protected folders.

The following image shows PDF files in the “Pictures” folders that the DearCry ransomware encrypted with a .CRYPT extension, whereas the PDF files in the “Desktop” folder do not show as encrypted.

DearCry Ransomware

Comparing files from both the protected “Desktop” (file on the left) and unprotected “Pictures” (file on the right) folders show that the DearCry ransomware encrypted and prepended files with the “DEARCRY” file header, as shown in the image on the right.

Protected vs Unprotected

The DearCry ransomware also leaves a note on the Desktop as follows:

Your file has been encrypted!

If you want to decrypt, please contact us.

konedieyp@airmail.cc or uenwonken@memail.com

And please send me the following hash!

638428e5021d4ae247b21acf9c0bf6f6

Attivo customers should enable the Attivo Anti-Ransomware capability to protect local data. Testing and customer testimonies have shown that the DataCloak function can save sensitive or critical data from unauthorized access, exploitation, and encryption,

References:

https://attivonetworks.com/hafnium-active-exploitation-of-microsoft-exchange-and-lateral-movement/

No Comments

Post a Comment

3 + nine =