Stop DearCry Ransomware Exploits of Hafnium - Attivo Networks
Attivo Networks Blogs

Stop DearCry Ransomware Exploits of Hafnium

Author: Venu Vissamsetty, V.P Security Research, Attivo Networks –The recent Hafnium attacks drew attention to several Microsoft Exchange Server vulnerabilities, but other groups are taking advantage of these to launch ransomware attacks. Attackers are targeting enterprises exploiting the four recent Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065) to deploy the DearCry ransomware. Post exploitation, attackers are moving inside the network by stealing privileged credentials from Active Directory to increase the number of systems where they deploy ransomware.

Once installed, the DearCry ransomware uses AES-256 and RSA-2048 to encrypt files. The DearCry ransomware has been targeting and encrypting files with the following file extensions:

.TIF .TIFF .PDF .XLS .XLSX .XLTM .PS .PPS .PPT .PPTX .DOC .DOCX .LOG .MSG .RTF .TEX .TXT .CAD .WPS .EML .INI .CSS .HTM .HTML .XHTML .JS .JSP .PHP .KEYCHAIN .PEM .SQL .APK .APP .BAT .CGI .ASPX .CER .CFM .C .CPP .GO .CONFIG .PL .PY .DWG .XML .JPG .BMP .PNG .EXE .DLL .CAD .AVI .H.CSV .DAT .ISO .PST .PGD .7Z .RAR .ZIP .ZIPX .TAR .PDB .BIN .DB .MDB .MDF .BAK .LOG .EDB .STM .DBF .ORA .GPG .EDB .MFS

Source: https://www.bleepingcomputer.com/news/security/ransomware-now-attacks-microsoft-exchange-servers-with-proxylogon-exploits/

Protecting Data with the Attivo DataCloak function

Attivo customers can enable the ThreatDefend® platform’s Anti-Ransomware DataCloak function to protect against ransomware encrypting files, including the DearCry variant.
The DataCloak function hides and denies access to local files, folders, removable storage, network or cloud shares, and local administrator accounts. By denying attackers the ability to see or exploit critical data, organizations can disrupt their discovery or lateral movement activities and limit the damage from ransomware attacks.
Enabling the Anti-Ransomware DataCloaking function protects sensitive or essential files against ransomware attacks by configuring the Mode to “Alert and Protect” and the Protection Level to “Hide.” Any configured files and folders become invisible to malicious ransomware processes:

1.Configure folders to protect and specify the file extensions to hide.

2.Configure Cloud Mapped Storage (OneDrive, Box& DropBox) to protect these locations.

3.Select the “Protect Network Shares” option to hide all SMB network mapped shares from ransomware

The image below shows an example of the ThreatDefend platform’s Anti-Ransomware function as configured to protect files in the “Desktop,” “Documents,” and “Downloads” folders.

ThreatDefend_Anti_Ransomware_Function

The DearCry ransomware will encrypt files in all other folders except the above-protected folders.

The following image shows PDF files in the “Pictures” folders that the DearCry ransomware encrypted with a .CRYPT extension, whereas the PDF files in the “Desktop” folder do not show as encrypted.

DearCry Ransomware

Comparing files from both the protected “Desktop” (file on the left) and unprotected “Pictures” (file on the right) folders show that the DearCry ransomware encrypted and prepended files with the “DEARCRY” file header, as shown in the image on the right.

Protected vs Unprotected

The DearCry ransomware also leaves a note on the Desktop as follows:

Your file has been encrypted!

If you want to decrypt, please contact us.

konedieyp@airmail.cc or uenwonken@memail.com

And please send me the following hash!

638428e5021d4ae247b21acf9c0bf6f6

Attivo customers should enable the Attivo Anti-Ransomware capability to protect local data. Testing and customer testimonies have shown that the DataCloak function can save sensitive or critical data from unauthorized access, exploitation, and encryption,

References:

https://www.attivonetworks.com/hafnium-active-exploitation-of-microsoft-exchange-and-lateral-movement/

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free

FAST AND EASY

Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial

GET PROTECTION AGAINST UNAUTHORIZED ACCESS TO ACTIVE DIRECTORY

  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise

RSS

Leave a Comment

Your email address will not be published. Required fields are marked *

13 − 3 =

Ready to find out what’s lurking in your network?

Scroll to Top