DearCry Ransomware Attacks Unpatched Microsoft Exchange Mail Servers

Published in

Spin.AI Ransomware Protection

3 min readMar 20, 2021

The attackers used the recently discovered zero-day vulnerabilities in Microsoft Exchange to install DearCry ransomware. The attacks were first reported on March 9 by the victims stating that their Microsoft Exchange servers were compromised via the ProxyLogon vulnerabilities. As a result, DearCry ransomware was executed. According to the security researchers, the targets come from the United States, Canada, Australia, Luxembourg, Indonesia, Ireland, India, and Germany.

The DearCry ransomware attack has been also confirmed by Microsoft to use Microsoft Exchange vulnerabilities.

DearCry encrypts all files with the following extensions on all available local disks from ‘C:’ to ‘Z:’:

.TIF, .TIFF, .PDF, .XLS, .XLSX, .XLTM, .PS, .PPS, .PPT, .PPTX, .DOC, .DOCX, .LOG, .MSG, .RTF, .TEX, .TXT, .CAD, .WPS, .EML, .DBF, .INI, .CSS, .HTM, .HTML, .XHTML, .JS, .JSP, .PHP, .KEYCHAIN, .PEM, .SQL, .APK, .APP, .BAT, .CGI, .ASPX, .CER, .CFM, .C, .CPP, .STM, .GO, .CONFIG, .CSV, .DAT, .ISO, .PST, .PGD, .7Z, .RAR, .ZIP, .ZIPX, .TAR, .PDB, .BIN, .DB, .MDB, .MDF, .BAK, .LOG, .EDB, .ORA

The files are encrypted with AES-256. Then, the file keys are encrypted using the hardcoded public master RSA-2048 key. The ransomware creates new files adding ‘.CRYPTO’ to the original to store encrypted content of the files. After that, the original files are filled with multiple instances of ‘A’ to prevent restoring the file's content.

DearCry leaves a ransom note that includes contact information as well as an MD5 hash of the public master RSA-2048 key that was used to encrypt the file keys.