DearCry Ransomware Targets Exchange Servers Using ProxyLogon vulnerability

Home/Ransomware, Zero Day Attack/DearCry Ransomware Targets Exchange Servers Using ProxyLogon vulnerability

DearCry Ransomware Targets Exchange Servers Using ProxyLogon vulnerability

Threat actors are using the recently disclosed zero-day ProxyLogon vulnerabilities — installing a new strain of ransomware called DEARCRY in Exchange servers.

Zero-Day Exchange Vulnerability

Earlier this month, Microsoft revealed that four zero-day vulnerabilities being exploited by HAFNIUM threat actors in the wild.

Where these four zero-day vulnerabilities are chained together:

  • to gain access to Microsoft Exchange servers
  • steal email
  • and, plant further malware for increased access to the network.

However, researchers in some knowledge forum raised a question — “Could the unpatched Exchange Servers from Zero-Day vulnerability campaign — open the pathway for ransomware infections?”

Yes, the researchers fear became a reality where threat actors are using the vulnerabilities to install the DearCry ransomware.

Follow Us on: Twitter, InstagramFacebook to get the latest security news!

DearCry Ransomware

Microsoft researcher Phillip Misner tweeted “Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A,”.

Further added, “Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers.”

Certainly, the attack started March 9 after users began submitting their encrypted files and a new ransom note on ransomware identification site ID-Ransomware, according to Michael Gillespie the creator of the site.

Also, Gillespie after reviewing the submissions the submitted files are almost all of them are from Microsoft Exchange servers. Microsoft security researcher Phillip Misner confirmed that the DearCry.

Attack WorkFlow

According Palo Alto, Exchange Server’s new variant of ransomware exploit ProxyLogon vulnerability for initial access.

Firstly, DearCry runs a service named “msupdate” once launched, it is not native to the Windows operating system. Where once ransomware finishes its encryption process, the service is later removed.

Secondly, the ransomware will begin to encrypt files once they match the following extensions on the victims computer:


Next, It will append the .CRYPT extension to the file’s name when encrypting victim’s files

When executed, DearCry ransomware uses AES-256 and RSA-2048 to encrypt victim files, while also modifying file headers to include the string ‘DEARCRY!’

Source – Palo Alto

Further as part of Ransomware workflow, DearCry deploys a ransom note to the victim’s desktop, a note includes two email addresses

  • konedieyp@airmail[.]cc
  • uenwonken@memail[.]com

that the victim is asked to contact, and as well as a request for a provided hash to be sent.

Security Recommendation

According to Palo Alto Networks, there are still approximately 80,000 Exchange servers that cannot directly apply the recent security updates.

In short, not only to protect mailboxes from being stolen but to prevent them from being encrypted all organizations are strongly recommended to apply the patches as soon as possible.

And also to create offline backups of their Exchange servers.

Indicators Of Compromise

SHA256 Hash:


File Name:



Ransom Note Text:

Your file has been encrypted!
If you want to decrypt, please contact us. or
And please send me the following hash!
[victim id]

By | 2021-03-14T19:18:10+05:30 March 14th, 2021|Ransomware, Zero Day Attack|

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!