For the past two weeks, the cybersecurity news has been dominated by stories about the Microsoft Exchange ProxyLogon vulnerabilities. One overriding concern has been when will ransomware actors use the vulnerabilities to compromise and encrypt mail servers.
Unfortunately, last night our fears became a reality after ID-Ransomware creator Michael Gillespie revealed that the new DearCry Ransomware targeted Microsoft Exchange servers.
If you run a Microsoft Exchange server, you must take the OWA component offline or patch the server. In addition to applying patches, admins should also perform a complete offline backup of the server to prevent it from being encrypted if already compromised.
While the DearCry/Exchange news is big enough, there have also been other news this week.
At the beginning of the week, we broke the story that the REvil ransomware operation plans on DDoS victims and call their business partners to further pressure victim’s into paying.
Contributors and those who provided new ransomware information and stories this week include @Ionut_Ilascu, @serghei, @malwareforme, @VK_Intel, @malwrhunterteam, @BleepinComputer, @PolarToffee, @Seifreed, @LawrenceAbrams, @demonslay335, @jorntvdw, @fwosar, @DanielGallagher, @struppigel, @FourOctets, @AuCyble, @MBThreatIntel, @quickheal, @pancak3lullz, @phillip_misner, @fbgwls245, @johnnysaks130, @JakubKroustek, @kryptoslogic, @2sec4u, @MalwareTechBlog, @3xp0rtblog, and @siri_urz.
March 6th 2021
The REvil ransomware operation announced this week that they are using DDoS attacks and voice calls to journalists and victim’s business partners to generate ransom payments.
Jakub Kroustek found a new Dharma Ransomware variant that appends the .Jessy extension.
March 7th 2021
Jakub Kroustek found a new Dharma Ransomware variant that appends the .ROG extension.
March 8th 2021
A new ransomware known as Sarbloh encrypts your files while at the same time delivering a message supporting the protests of Indian farmers.
US bank and mortgage lender Flagstar has disclosed a data breach after the Clop ransomware gang hacked their Accellion file transfer server in January.
dnwls0719 found a new Matrix ransomware variant that appends the .JDPR extension and drops a ransom note named JDPR_README.rtf.
Healthcare Providers Were Warned of a Ransomware Surge Last Fall. Some Still Aren’t Sure How Serious the Threat Was
Late last October, when the U.S. government warned of an imminent ransomware threat to the country’s hospitals and healthcare providers, many in the industry had a similar reaction: they paused, took a deep breath, and braced for impact.
March 9th 2021
A suspected GandCrab Ransomware member was arrested in South Korea for using phishing emails to infect victims.
S!Ri found a new ransomware that appends the .gopher extension.
March 10th 2021
The systems of SEPE, the Spanish government agency for labor, were taken down following a ransomware attack that hit more than 700 agency offices across Spain.
Michael Gillespie found new STOP Djvu ransomware variants that append the .reig and .tirp extensions to encrypted files.
3xp0rt found a post on a Russian-speaking hacker forum where threat actors announced the new DarkSide 2.0 ransomware. This version allegedly includes faster encryption and features.
March 11th 2021
The Molson Coors Beverage Company has suffered a cyberattack that is causing significant disruption to business operations.
Threat actors are now installing a new ransomware called ‘DEARCRY’ after hacking into Microsoft Exchange servers using the recently disclosed ProxyLogon vulnerabilities.
Michael Gillespie was the first to disclose that a new DearCry ransomware was targeting exchange servers.
Jakub Kroustek found new Dharma Ransomware variants that append the .biden, .eofyd, and .duk extensions.
March 12th 2021
Jakub Kroustek found new Dharma Ransomware variants that append the .LAO and .pirat extensions.
Kryptos Logic reported that there 6,970 publicly exposed web shells on Exchange servers that were being targeted by threat actors.