Threat actors are now installing a new ransomware called ‘DEARCRY’ after hacking into Microsoft Exchange servers using the recently disclosed ProxyLogon vulnerabilities. Microsoft has confirmed that the DearCry ransomware is installed in human-operated attacks on Microsoft Exchange servers using the ProxyLogon vulnerabilities.
At launch, the DearCry ransomware will attempt to shut down a Windows service named ‘msupdate.’ It is not known what this service is, but it does not appear to be a legitimate Windows service.
The ransomware will now begin to encrypt the files on the computer. When encrypting files, it will append the .CRYPT extension the file’s name.
After the encryption is done, the ransomware will create a simple ransom note named ‘readme.txt’ on the Windows desktop.
Microsoft Exchange Server