- The threat is known as DearCry and DoejoCrypt has exposed all the businesses across the entire US.
- More than 82000 servers fell open to vulnerabilities because of this ransomware.
- Microsoft names the China-backed hacker group called Hafnium responsible for the threat.
Introduction:
Hackers exploit recently found vulnerabilities in Exchange email servers to drop ransomware. Microsoft warns that this has put thousands of emails and email servers open to threats and ransomware.
“We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” Microsoft Security Intelligence tweeted at 11:53 p.m. ET Thursday. “Microsoft protects against this threat known as … DearCry.”
When all the ransomware is chained together, the hacker can gain access to total control of the vulnerable system. Microsoft named Hafnium as the primary group behind the exploitation of these flaws. The software giant claims that Hafnium gained access to espionage and intelligence gathering.
More insight on the ransomware:
According to other security firms, other hacking groups have also exploited the same vulnerabilities and flaws. ESET claims that there are at least 10 groups who are on the way to actively compromise the Exchange servers. Michael Gillespie says there are many vulnerable Exchange servers based in the US, Canada, and Australia which seem to be infected with DearCry. Gillespie is a ransomware expert who is known to develop ransomware decryption tools.
The new ransomware entered the system less than a day after a security researcher publishes the proof-of-the-concept exploit code for the vulnerabilities. These vulnerabilities are subject to GitHub which is owned by Microsoft. Later, the code was removed swiftly for a small period of time because it violated the company policies. According to Marcus Hutchins’ tweet, the code seems to be functional albeit with certain fixes.
Claims from various Intelligence companies:
According to Threat Intelligence Company RiskIQ, they have been able to detect more than 82000 servers exposed to vulnerabilities on Thursday, but say that the number is declining. The company also added that the servers belonging to healthcare and banking systems still stand affected. Also, around 150 servers in the U.S. federal government are also exposed. This seems to be a rapid decline in comparison with 400,000 vulnerable servers when Microsoft first revealed the breach on the 2nd of March, says the company. Microsoft has published security fixes last week but the patches have not helped to remove the hackers from already breached servers. Both the FBI and CISA, have provided a warning saying that the vulnerabilities stand as a major risk to the businesses spread across the entire United States of America.
John Hultquist says that the has anticipated an increased number of ransomware groups that have been trying to cash in. John happens to be the vice president of analysis at FireEye’s Mandiant threat intelligence unit.
“Though many of the still unpatched organizations may have been exploited by cyber espionage actors, criminal ransomware operations may pose a greater risk as they disrupt organizations and even extort victims by releasing stolen emails,” said Hultquist.