The ‘DearCry’ Ransomware Is a Hastily Built Copy of ‘WannaCry’

  • Researchers at Sophos find that ‘DearCry’ is probably just a hasty copy of ‘WannaCry.’
  • The ransomware doesn’t use much sophistication, but it remains a serious threat for unpatched systems.
  • Microsoft has released a one-click automatic mitigation tool that could help against ‘DearCry.’

The ‘DearCry’ ransomware that was built specifically to exploit vulnerable Microsoft Exchange servers appears to be the work of an unsophisticated author who just copied stuff from the various WannaCry samples that fly around on the net. It doesn’t feature any hiding capabilities, doesn’t use signed binaries to evade AV detection, is packed with no obfuscation at all, and uses the same encryption headers as WannaCry. All in all, it appears to be a hasty work of a beginner, created to compromise as many Exchange servers as possible before admins have the chance to patch them.

That is according to the analysis of researchers at Sophos, who dived deeper into two samples of ‘DearCry’ found circulating in the wild only last week. Their report explains that detecting and stopping DearCry should be straightforward for most network defense solutions, yet this is not always the case. If the ransomware is allowed to encrypt files, it will do the job by using the AES-256 symmetric encryption algorithm that is embedded in the malware through an OpenSSL library.

Source: Sophos

Unfortunately, the private key is retained by the attacker, and it’s not embedded in the code, so the threat remains serious, and an infection wouldn’t be easy to deal with. The two samples analyzed were similar but still featured some minor differences in the filetypes that are targeted. Considering that even web shell-related files are targeted, the attackers appear to be more interested in destruction rather than persistent presence on the compromised machines.

Source: Sophos

One key aspect of the encryption scheme, which also lets in a ray of hope for the victims, is that DearCry is actually creating copies of the files, encrypting them, and deleting the originals. Because the deletion is geared towards performance, the wiping isn’t definitive, so in some cases, the victims could restore the original and unencrypted files by using data rescue software.

Source: Sophos

In the meantime, and as Exchange patching continues to be an enormous problem, Microsoft has released a one-click on-premises mitigation tool to help admins who can’t apply security updates still secure their Exchange servers. The tool will automatically mitigate CVE-2021-26855, which is one of the vulnerabilities leveraged by DearCry, together with CVE-2021-27065. This is obviously a temporary solution until patching is possible, but it is highly recommended for those who don’t have IT teams and don’t know what to do.

NBA 2023 Live Stream: How to Watch Basketball Online from Anywhere
The wait is almost over, and basketball fans worldwide can finally look forward to the start of the 2023/24 NBA season. The...
How to Watch 2023 NHL Without Cable: Live Stream Hockey Games Online from Anywhere
The 2023/24 season of the National Hockey League is finally upon us, and fans are gearing up to watch the hard-hitting action...
NFL 2023 Live Stream: How to Watch Football Online from Anywhere
The 104th season of the National Football League is already underway, and we anticipate some thrilling action in the coming months. The...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari