The Week in Ransomware – March 12th 2021 – Encrypting Exchange servers


For the past two weeks, the cybersecurity news has been dominated by stories about the Microsoft Exchange ProxyLogon vulnerabilities. One overriding concern has been when will ransomware actors use the vulnerabilities to compromise and encrypt mail servers.

Unfortunately, last night our fears became a reality after ID-Ransomware creator Michael Gillespie revealed that the new DearCry Ransomware targeted Microsoft Exchange servers. 

After BleepingComputer broke the DearCry ransomware story, Microsoft confirmed that the ransomware was being installed on servers compromised by the ProxyLogon exploits.

If you run a Microsoft Exchange server, you must take the OWA component offline or patch the server. In addition to applying patches, admins should also perform a complete offline backup of the server to prevent it from being encrypted if already compromised.

While the DearCry/Exchange news is big enough, there have also been other news this week.

At the beginning of the week, we broke the story that the REvil ransomware operation plans on DDoS victims and call their business partners to further pressure victim’s into paying.

We also learned of new ransomware attacks against organizations, including Molson Coors and the Spanish government.

Contributors and those who provided new ransomware information and stories this week include @Ionut_Ilascu, @serghei, @malwareforme, @VK_Intel, @malwrhunterteam, @BleepinComputer, @PolarToffee, @Seifreed, @LawrenceAbrams, @demonslay335, @jorntvdw, @fwosar, @DanielGallagher, @struppigel, @FourOctets, @AuCyble, @MBThreatIntel, @quickheal, @pancak3lullz, @phillip_misner, @fbgwls245, @johnnysaks130, @JakubKroustek, @kryptoslogic, @2sec4u, @MalwareTechBlog, @3xp0rtblog, and @siri_urz.

March 6th 2021

Ransomware gang plans to call victim’s business partners about attacks

The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victim’s business partners to generate ransom payments.

New Jessy Dharma ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .Jessy extension.

March 7th 2021

New ROG Dharma ransomware variant

Jakub Kroustek found a new Dharma Ransomware variant that appends the .ROG extension.

March 8th 2021

New Sarbloh ransomware supports Indian farmers’ protest

A new ransomware known as Sarbloh encrypts your files while at the same time delivering a message supporting the protests of Indian farmers.

Sarbloh ransom note

Flagstar Bank hit by data breach exposing customer, employee data

US bank and mortgage lender Flagstar has disclosed a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January.

dnwls0719 found a new Matrix ransomware variant that appends the .JDPR extension and drops a ransom note named JDPR_README.rtf.

Healthcare Providers Were Warned of a Ransomware Surge Last Fall. Some Still Aren’t Sure How Serious the Threat Was

Late last October, when the U.S. government warned of an imminent ransomware threat to the country’s hospitals and healthcare providers, many in the industry had a similar reaction: they paused, took a deep breath, and braced for impact.

March 9th 2021

GandCrab ransomware affiliate arrested for phishing attacks

A suspected GandCrab Ransomware member was arrested in South Korea for using phishing emails to infect victims.

New Bad Gopher ransomware

S!Ri found a new ransomware that appends the .gopher extension.

Bad Gopher

March 10th 2021

Ryuk ransomware hits 700 Spanish government labor agency offices

The systems of SEPE, the Spanish government agency for labor, were taken down following a ransomware attack that hit more than 700 agency offices across Spain.

New STOP ransomware variants

Michael Gillespie found new STOP Djvu ransomware variants that append the .reig and .tirp extensions to encrypted files.

DarkSide Ransomware 2.0 released

3xp0rt found a post on a Russian-speaking hacker forum where threat actors announced the new DarkSide 2.0 ransomware. This version allegedly includes faster encryption and features.

March 11th 2021

Molson Coors brewing operations disrupted by cyberattack

The Molson Coors Beverage Company has suffered a cyberattack that is causing significant disruption to business operations.

Ransomware now attacks Microsoft Exchange servers with ProxyLogon exploits

Threat actors are now installing a new ransomware called ‘DEARCRY’ after hacking into Microsoft Exchange servers using the recently disclosed ProxyLogon vulnerabilities.

DearCry ransom note

DearCry found to be targeting Exchange

Michael Gillespie was the first to disclose that a new DearCry ransomware was targeting exchange servers.

New Dharma ransomware variants

Jakub Kroustek found new Dharma Ransomware variants that append the .biden, .eofyd, and .duk extensions.

March 12th 2021

New Dharma ransomware variants

Jakub Kroustek found new Dharma Ransomware variants that append the .LAO and .pirat extensions.

6,970 publicly exposed web shells on Exchange servers

Kryptos Logic reported that there 6,970 publicly exposed web shells on Exchange servers that were being targeted by threat actors.

That’s it for this week! Hope everyone has a nice weekend!