DearCry ransomware exploits Exchange server vulnerability

• Encrypts files using AES-256 and RSA-2048 ciphers, which makes decryption impossible without paying a ransom
• Adds ‘.CRYPTO’ extension
  
• Replaces the content of the original files with “A”
  
• Also known as “Ransom:Win32/DoejoCrypt.A” according to the Microsoft’s malware naming convention
  
• Targeting organizations in the United States, Luxembourg, Indonesia, Ireland, India and Germany
  

The attackers use the recently disclosed zero-day ProxyLogon vulnerabilities to hack into Microsoft Exchange servers. The first DearCry attack was discovered on March 9, 2021.

The file under analysis is 1322521 bytes in size (SHA256: fdec933ca1dd1387d970eeea32ce5d1f87940dfb6a403ab5fc149813726cbd65), and at the time of writing was detected by 45 antiviruses out of 68 mentioned on VirusTotal.

This sample was first submitted to VirusTotal on March 12, 2021:

The original file name is ‘encryptfile.exe’ according to static analysis of the executable file. This can be guessed from the debug information available in the binary:
c:\users\john\documents\visual studio 2008\projects\encryptfile -svcv2\release\encryptfile.exe.pdb

Once executed, the malware registers a service named ‘msupdate.’

It begins file encryption using this service.

After file encryption is completed, DearCry stops and deletes the service.

To encrypt files, DearCry uses the AES-256 cipher, the keys for which are encrypted afterwards with the following master public RSA-2048 key:

The ransomware calculates the MD5 hash of the public key:

It then inserts this hash into a ransom note:

DearCry locates all logical drives from ‘C:’ to ‘Z:.’ If the disk is not a CDROM drive, it creates a text file in the root directory named ‘readme.txt’ and saves the ransom note there. 

DearCry searches for files on the disk with a filename less than 1300 characters. It encrypts all such files with the following extensions:

.TIF
.TIFF
.PDF
.XLS
.XLSX
.XLTM
.PS
.PPS
.PPT
.PPTX
.DOC
.DOCX
.LOG
.MSG
.RTF
.TEX
.TXT
.CAD
.WPS
.EML
.DBF
.INI
.CSS
.HTM
.HTML
.XHTML
.JS
.JSP
.PHP
.KEYCHAIN
.PEM
.SQL
.APK
.APP
.BAT
.CGI
.ASPX
.CER
.CFM
.C
.CPP
.STM
.GO
.CONFIG
.CSV
.DAT
.ISO
.PST
.PGD
.7Z
.RAR
.ZIP
.ZIPX
.TAR
.PDB
.BIN
.DB
.MDB
.MDF
.BAK
.LOG
.EDB
.ORA

DearCry does not encrypt files in the following folders:

%WinDir%
%AppData%
%ProgramFiles(x86)%
%Temp%

The ransomware adds the header “DEARCRY!” to the encrypted files and also adds the extension “.CRYPT.”

The structure of the encrypted file is as follows:

To complicate the recovery, the ransomware overwrites the data in the original file with the character ‘A’:

Acronis Cyber Protect not only detects and blocks DearCry ransomware, but can also automatically restore affected files in a matter of seconds.

Attacks with controlled execution, in which the attackers exploit zero-day vulnerabilities discovered in popular services, are especially dangerous. The file encryption scheme employed by DearCry — which includes both symmetric and asymmetric encryption — leaves no chance of file decryption without the right key. In addition, overwriting the content of the original files complicates recovery.

Hash: 0e55ead3b8fd305d9a54f78c7b56741a