The original Hafnium server hacks were likely espionage-motivated, but now the predicted second wave driven clearly by criminal intent has started.
Microsoft has confirmed hackers are attacking unpatched Exchange servers and installing the Dearcry ransomware on some occasions.
Microsoft observed a new family of human operated ransomware attack customers – detected as Ransom:Win32/DoejoCrypt.A. Human operated ransomware attacks are utilizing the Microsoft Exchange vulnerabilities to exploit customers. #DearCry @MsftSecIntel
— Phillip Misner (@phillip_misner) March 12, 2021
The Dearcry ransomware then attempts to prevent Windows Update from running and installing a fix for the vulnerability. The next step is encrypting your files and then delivering a ransom note on your desktop.
While Microsoft has released a patch more than 10 days ago, Palo Alto Networks noted that 80,000 older servers are still unpatched.
“I’ve never seen security patch rates this high for any system, much less one as widely deployed as Microsoft Exchange,” said Matt Kraning, Chief Technology Officer, Cortex at Palo Alto Networks. “Still, we urge organizations running all versions of Exchange to assume they were compromised before they patched their systems, because we know attackers were exploiting these zero-day vulnerabilities in the wild for at least two months before Microsoft released the patches on March 2.”