DearCry is a new ransomware variant that exploits the same vulnerabilities in Micosoft Exchange as Hafnium. It creates encrypted copies of the attacked files and deletes the originals.
DearCry’s encryption is based on a public-key cryptosystem. The public encryption key is embedded in the ransomware binary, meaning it does not need to contact the attacker’s command-and-control server to encrypt your files.
Exchange servers that are setup to only allow internet access for the Exchange services will still become encrypted. Without the decryption key (which is in possession of the attacker) decryption is not possible.
Stopping DearCry ransomware
Sophos Intercept X detects and blocks DearCry ransomware with both CryptoGuard and signature-based protections.
If you are affected by DearCry it means the attackers have taken advantage of the persistence established by Hafnium. You need to both block DearCry ransomware AND neutralize the attackers before they can carry out further attacks.
Secure you network from future attacks
In the wake of Hafnium, multiple actors are now taking advantage of the Exchange/ProxyLogon issues to conduct a range of attacks.
Anyone running on-premises Microsoft Exchange servers should patch as a matter of urgency, and search their network for signs of attack.
Patching alone does not mean you are protected. You also need to investigate for indicators of attack and compromise, as an adversary may have already exploited these vulnerabilities.
For step-by-step instructions on how to determine if you impacted, read our guidance here.
For help identifying and neutralizing potential adversarial activity in you environment, contact Sophos MTR.