[BreachExchange] Unusual DearCry ransomware uses ‘rare’ approach to encryption

[Destry Winant]

https://www.computerweekly.com/news/252497918/Unusual-DearCry-ransomware-uses-rare-approach-to-encryption

Analysis of the emerging DearCry ransomware, which has so far infected
a limited number of organisations exposed through the ProxyLogon
Microsoft Exchange Server vulnerabilities, has uncovered a rare
encryption attack behaviour seen before in WannaCry, according to
researchers at Sophos.

Preventing identity theft in a data breach

In this e-guide, we will explore the links between ransomware attacks,
data breaches and identity theft. First, Nicholas Fearn investigates
the phenomenon of the double extortion attack, and shares some insider
advice on how to stop them, while we'll explore the top five ways data
backups can protect against ransomware in the first place.

Corporate E-mail Address:

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer
of my information to the United States for processing to provide me
with relevant information as described in our Privacy Policy.

I agree to my information being processed by TechTarget and its
Partners to contact me via phone, email, or other means regarding
information relevant to my professional interests. I may unsubscribe
at any time.

Mark Loman, director Sophos’ engineering technology office, examined
DearCry samples obtained in a thwarted cyber attack on one of the
firm’s clients and found it was relatively unsophisticated and does
little to obfuscate its presence, so was likely created by someone new
to the game.

However, said Loman, his analysis had also uncovered a rare “hybrid”
approach to encryption, which he said he had only seen before with
WannaCry.

“Both first create an encrypted copy of the attacked file, an approach
we call ‘copy’ encryption, and then overwrite the original file to
prevent recovery, what we call ‘in-place’ encryption,” said Loman.
“Copy ransomware allows victims to potentially recover some data.
However, with ‘in-place’ encryption, recovery via undelete tools is
impossible. Notorious human-operated ransomwares like Ryuk, REvil,
BitPaymer, Maze and Cl0p, use ‘in-place’ encryption only.”

The similarities between DearCry and WannaCry do not end there, he
said – the names and header added to encrypted files also bear much in
common. This is not, however, conclusive enough evidence to link
DearCry to WannaCry’s creator, cautioned Loman, and some of DearCry’s
code, approach and abilities are materially different. For example, it
does not use a command-and-control (C2) server, has an embedded RSA
encryption key, shows no user interface with a timer, and
significantly and thankfully, does not spread itself to other machines
on the target network.

“We found a number of other unusual DearCry characteristics, including
the fact that the ransomware actor has been creating new binaries for
new victims. The list of file types targeted has evolved from
victim-to-victim too,” said Loman.

“Our analysis further shows that the code does not come with the kind
of anti-detection features you would normally expect with ransomware,
like packing or obfuscation. These and other signs suggest that
DearCry may be a prototype, possibly rushed into use to seize the
opportunity presented by the Microsoft Exchange Server
vulnerabilities, or created by less experienced developers.”


Loman added that defenders should take urgent steps to install
Microsoft’s patches to prevent exploitation of their on-premise
Exchange Servers, and if this is not possible, to disconnect them from
the internet entirely, or watch them like a hawk. More information on
the DearCry samples analysed by Sophos can be found here.

To date, only a very small number of organisations are known to have
been hit with DearCry, which was first reported on Tuesday 9 March
before being confirmed by Microsoft later in the week. It was spotted
at first by ID Ransomware creator Michael Gillespie, who found it
being submitted from Exchange servers into the ID Ransomware system.

As of Thursday 11 March, there were six unique attacks attributable to
DearCry reported to ID Ransomware, from Australia, Canada and the US,
and there may also be victims in Austria and Denmark.