Threat Advisory: Hard to detect DearCry Ransomware exploits MS Exchange SSRF CVE-2021-26855

It has been just over a week since the public disclosure of Exchange SSRF (CVE-2021-26855) and malware authors have already declared hunting season on  OWA installations worldwide. On March 11th, Microsoft announced that the MS Exchange-related attacks have now evolved to not just stealing email data but also deploying ransomware. However, these DearCry payloads had been circulating a few days before already and are highly evasive. 

Threat Dynamics 

The biggest concern at this point in time remains the ease with which the vulnerability can be exploited. A perfect example of this is the DearCry malware family. 

A closer look reveals that this sample lacks the sophistication that is associated with other ransomware families and is most likely the work of a new gang/individual. The combination of the vulnerability and the malware is a potent one especially considering how evasive the malware was when it first appeared in public threat feeds.

Creation of msupdate windows service
File extensions of interest
Encryption of files ending with select file extensions

During file encryption, the data starts with the header “DEARCRY!” 

File Encryption Header
RSA Public Key used for encryption
Ransom Note: readme.txt

Blue Hexagon Deep Learning Ransomware Detection

Blue Hexagon proactively detected this threat family and its various components with deep learning threat detection models that were created months ago before the threat was named in the wild as DearCry. Based on our telemetry data, the bulk of the attacks piggybacking on top of the Exchange exploit hit their peak in the past 72 hours. The biggest concern apart from the fact that the coverage on the vulnerability is still lacking as far as major AV vendors go is the fact that coverage on the DearCry Ransomware that is being delivered is even worse. 

Figure 1: Timeline of the outbreak for DearCry “sample” (x-axis) and number of detections on the first analysis (y-axis)

With each sample release of DearCry, the detection coverage on Virustotal showed that only 3-4% of vendor solutions detected the threat. What was more striking was that even as each sample came out, the detection coverage did not improve. Even as the original sample was getting publicity, that knowledge did not improve the initial detection of the samples discovered later in the day. 

While the timeline and initial detection is interesting, another dimension of the threat dynamics is how the detections change over time and whether the trends are the same for different samples. This is shown in Figure 2.

Figure 2:  Threat Detection Profile of first and fourth DearCry samples

Figure 2 plots the Threat Detection Profile (TDP) of the first and fourth sample of DearCry that were introduced several hours apart. The graph plots the detection rates from March 12-15th, 2021. Several interesting observations can be made from this graph:

  • Though the samples are introduced several hours apart they both start with the same low TDP of ~50% or less, and it even drops coverage at one point as signature-based detections adjust to FP rates.
  • As time progresses, the fourth sample continues to have a low detection rate even as the threat detection rate of the first sample is increasing over time as more signatures are added to vendor solutions. Clearly, one DearCry sample has proven more successful at evading detection. 
  • TDP only reaches some sort of majority consensus after multiple days have elapsed from the onset of the original threat.

Why Deep Learning Matters

Blue Hexagon proactively detected these samples even with models that were created months before the threat was named in the wild as DearCry. This is because Deep Learning models uncover patterns of malintent expressed in malicious code and are an order of magnitude better at detecting new malware than relying on signatures, YARA rules, ssdeep, or other pattern matching techniques. 

Indicators of Compromise:



Additional Resources:

You may like to also read related threat advisories and research on this subject:

Threat Advisory: Microsoft Exchange Server including CVE-2021-24085, 26855, 26857, 26858, and 27065

Threat Advisory: New PoC exploit for Exchange SSRF CVE-2021-26855

Ransomware Families and Variants are in Abundance