Unusual DearCry ransomware uses ‘rare’ approach to encryption

by Joseph K. Clark

Analysis of the emerging DearCry ransomware, which has so far infected a limited number of organizations exposed through the ProxyLogon Microsoft Exchange Server vulnerabilities, has uncovered a rare encryption attack behavior seen before in WannaCry, according to researchers at Sophos. Mark Loman, director of Sophos’ engineering technology office, examined DearCry samples obtained in a thwarted cyberattack on one of the firm’s clients and found it was relatively unsophisticated and does little to obfuscate its presence, so it was likely created by someone new to the game.

However, said Loman, his analysis had also uncovered a rare “hybrid” approach to encryption, which he said he had only seen before with WannaCry. “Both first create an encrypted copy of the attached file, an approach we call ‘copy’ encryption, and then overwrite the original file to prevent recovery, what we call ‘in-place encryption,” said Loman. “Copy ransomware allows victims to potentially recover some data. However, with ‘in-place encryption, recovery via undelete tools is impossible. Notorious human-operated ransomware like Ryuk, REvil, BitPaymer, Maze, and Cl0p use ‘in-place encryption only.”


The similarities between DearCry and WannaCry do not end there, he said – the names and header added to encrypted files also bear much in common. However, this is not conclusive enough evidence to link DearCry to WannaCry’s creator, cautioned Loman, and some of DearCry’s code, approach, and abilities are materially different. For example, it does not use a command-and-control (C2) server, has an embedded RSA encryption key, shows no user interface with a timer, and significantly and thankfully, does not spread itself to other machines on the target network.

“We found several other unusual DearCry characteristics, including the fact that the ransomware actor has been creating new binaries for new victims. The list of file types targeted has evolved from victim-to-victim too,” said Loman. “Our analysis further shows that the code does not come with the kind of anti-detection features you would normally expect with ransomware, like packing or obfuscation. These and other signs suggest that DearCry may be a prototype, possibly rushed into use to seize the opportunity presented by the Microsoft Exchange Server vulnerabilities, or created by less experienced developers.”

Loman added that defenders should take urgent steps to install Microsoft’s patches to prevent exploiting their on-premise Exchange Servers. If this is not possible, disconnect them from the internet entirely or watch them like a hawk. More information on the DearCry samples analyzed by Sophos can be found here. To date, only a few organizations are known to have been hit with DearCry, which was first reported on Tuesday 9 March, before being confirmed by Microsoft later in the week. It was spotted at first by ID Ransomware creator Michael Gillespie, who found it being submitted from Exchange servers into the ID Ransomware system. As of Thursday 11 March, there were six unique attacks attributable to DearCry reported to ID Ransomware from Australia, Canada, and the US. There may also be victims in Austria and Denmark.

Related Posts