V návaznosti na zjištění zranitelností Microsoft Exchange a vydání bezpečnostních oprav 2. března začali bezpečnostní experti identifikovat další protivníky vedle Hafnia využívající tyto chyby k zahájení útoků.
Jedním z nich je ransomware DearCry. Společnost Sophos dnes zveřejnila analýzu vzorků ransomwaru DearCry a v článku „Útoky DearCry využívají zranitelnosti serverů Exchange“ mimo jiné odhaluje nová zajímavá fakta týkající se chování tohoto ransomwaru při šifrování. Klíčová zjištění shrnuje i následující komentář Marka Lomana, experta na ransomware a šéfa divizi technologického inženýringu v Sophosu.
To uvádzame v angličtine.
„Our analysis of DearCry ransomware samples has uncovered a rare encryption attack behavior: a ‘hybrid’ approach. The only other ransomware I’ve investigated over the years that employed a hybrid approach was WannaCry, and this was auto spreading rather than human operated like DearCry. Both first create an encrypted copy of the attacked file, an approach we call ‘copy’ encryption, and then overwrite the original file to prevent recovery, what we call ‘in-place’ encryption. ‘Copy’ ransomware allows victims to potentially recover some data. However, with ‘in-place’ encryption, recovery via undelete tools is impossible. Notorious human-operated ransomware like Ryuk, REvil, BitPaymer, Maze and Clop, use ‘in-place’ encryption only.
There are a number of other similarities between DearCry and WannaCry, including the names and the header added to encrypted files. These do not automatically link DearCry to WannaCry’s creator. DearCry’s code, approach and abilities differ significantly from WannaCry; it does not use a command-and-control server, has an embedded RSA encryption key, shows no user interface with a timer and – most importantly – does not spread itself to other machines on the network.
We found a number of other unusual DearCry characteristics, including the fact that the ransomware actor has been creating new binaries for new victims. The list of file types targeted has evolved from victim-to-victim too. Our analysis further shows that the code does not come with the kind of anti-detection features you would normally expect with ransomware, like packing or obfuscation. These and other signs suggest that DearCry may be a prototype, possibly rushed into use to seize the opportunity presented by the Microsoft Exchange Server vulnerabilities, or created by less experienced developers.
Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. If this is not possible, the server should be disconnected from the internet or closely monitored by a threat response team.”
Více informací o analýzách bezpečnostních expertů spol. Sophos nejen o ransomwaru DearCry najdete i na SophosLabs Uncut; nebo na průběžně aktualizovaných stránkách:
Protecting Against Hafnium
Hafnium: Advise about the new nation-state attack
Serious Security: Webshells explained
How Ransomware Attacks
