Analysis of the emerging DearCry ransomware, which has so far infected a limited number of organisations exposed through the ProxyLogon Microsoft Exchange Server vulnerabilities, has uncovered a rare encryption attack behaviour seen before in WannaCry, according to researchers at Sophos.
Mark Loman, director Sophos’ engineering technology office, examined DearCry samples obtained in a thwarted cyber attack on one of the firm’s clients and found it was relatively unsophisticated and does little to obfuscate its presence, so was likely created by someone new to the game.
However, said Loman, his analysis had also uncovered a rare “hybrid” approach to encryption, which he said he had only seen before with WannaCry.
“Both first create an encrypted copy of the attacked file, an approach we call ‘copy’ encryption, and then overwrite the original file to prevent recovery, what we call ‘in-place’ encryption,” said Loman. “Copy ransomware allows victims to potentially recover some data. However, with ‘in-place’ encryption, recovery via undelete tools is impossible. Notorious human-operated ransomwares like Ryuk, REvil, BitPaymer, Maze and Cl0p, use ‘in-place’ encryption only.”
The similarities between DearCry and WannaCry do not end there, he said – the names and header added to encrypted files also bear much in common. This is not, however, conclusive enough evidence to link DearCry to WannaCry’s creator, cautioned Loman, and some of DearCry’s code, approach and abilities are materially different. For example, it does not use a command-and-control (C2) server, has an embedded RSA encryption key, shows no user interface with a timer, and significantly and thankfully, does not spread itself to other machines on the target network.
“We found a number of other unusual DearCry characteristics, including the fact that the ransomware actor has been creating new binaries for new victims. The list of file types targeted has evolved from victim-to-victim too,” said Loman.
“Our analysis further shows that the code does not come with the kind of anti-detection features you would normally expect with ransomware, like packing or obfuscation. These and other signs suggest that DearCry may be a prototype, possibly rushed into use to seize the opportunity presented by the Microsoft Exchange Server vulnerabilities, or created by less experienced developers.”
Loman added that defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their on-premise Exchange Servers, and if this is not possible, to disconnect them from the internet entirely, or watch them like a hawk. More information on the DearCry samples analysed by Sophos can be found here.
To date, only a very small number of organisations are known to have been hit with DearCry, which was first reported on Tuesday 9 March before being confirmed by Microsoft later in the week. It was spotted at first by ID Ransomware creator Michael Gillespie, who found it being submitted from Exchange servers into the ID Ransomware system.
As of Thursday 11 March, there were six unique attacks attributable to DearCry reported to ID Ransomware, from Australia, Canada and the US, and there may also be victims in Austria and Denmark.