DearCry ransomware exploits Exchange server vulnerability

Summary

  • Encrypts files using AES-256 and RSA-2048 ciphers, which makes decryption impossible without paying a ransom
  • Adds ‘.CRYPTO’ extension
  • Replaces the content of the original files with “A”
  • Also known as “Ransom:Win32/DoejoCrypt.A” according to the Microsoft’s malware naming convention
  • Targeting organizations in the United States, Luxembourg, Indonesia, Ireland, India and Germany

Attack vectors

The attackers use the recently disclosed zero-day ProxyLogon vulnerabilities to hack into Microsoft Exchange servers. The first DearCry attack was discovered on March 9, 2021.

Static analysis

The file under analysis is 1322521 bytes in size (SHA256: fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65), and at the time of writing was detected by 45 antiviruses out of 68 mentioned on VirusTotal.

This sample was first submitted to VirusTotal on March 12, 2021:

Acronis

The original file name is ‘encryptfile.exe’ according to static analysis of the executable file. This can be guessed from the debug information available in the binary:
c:\users\john\documents\visual studio 2008\projects\encryptfile -svcv2\release\encryptfile.exe.pdb

Installation

Once executed, the malware registers a service named ‘msupdate.’

Acronis

It begins file encryption using this service.

Acronis

After file encryption is completed, DearCry stops and deletes the service.

Acronis

File encryption

To encrypt files, DearCry uses the AES-256 cipher, the keys for which are encrypted afterwards with the following master public RSA-2048 key:

Acronis
Acronis

The ransomware calculates the MD5 hash of the public key:

Acronis

It then inserts this hash into a ransom note:

Acronis
Acronis

DearCry locates all logical drives from ‘C:’ to ‘Z:.’ If the disk is not a CDROM drive, it creates a text file in the root directory named ‘readme.txt’ and saves the ransom note there. 

Acronis

DearCry searches for files on the disk with a filename less than 1300 characters. It encrypts all such files with the following extensions:

.TIF
.TIFF
.PDF
.XLS
.XLSX
.XLTM
.PS
.PPS
.PPT
.PPTX
.DOC
.DOCX
.LOG
.MSG
.RTF
.TEX
.TXT
.CAD
.WPS
.EML
.DBF
.INI
.CSS
.HTM
.HTML
.XHTML
.JS
.JSP
.PHP
.KEYCHAIN
.PEM
.SQL
.APK
.APP
.BAT
.CGI
.ASPX
.CER
.CFM
.C
.CPP
.STM
.GO
.CONFIG
.CSV
.DAT
.ISO
.PST
.PGD
.7Z
.RAR
.ZIP
.ZIPX
.TAR
.PDB
.BIN
.DB
.MDB
.MDF
.BAK
.LOG
.EDB
.ORA

DearCry does not encrypt files in the following folders:

%WinDir%
%AppData%
%ProgramFiles(x86)%
%Temp%

The ransomware adds the header “DEARCRY!” to the encrypted files and also adds the extension “.CRYPT.”

Acronis

The structure of the encrypted file is as follows:

Acronis

To complicate the recovery, the ransomware overwrites the data in the original file with the character ‘A’:

Acronis
Acronis

Detection by Acronis

Acronis Cyber Protect not only detects and blocks DearCry ransomware, but can also automatically restore affected files in a matter of seconds.

Acronis
Acronis
Acronis
Acronis

Conclusion

Attacks with controlled execution, in which the attackers exploit zero-day vulnerabilities discovered in popular services, are especially dangerous. The file encryption scheme employed by DearCry — which includes both symmetric and asymmetric encryption — leaves no chance of file decryption without the right key. In addition, overwriting the content of the original files complicates recovery.

Hash: 0e55ead3b8fd305d9a54f78c7b56741a