DearCry, a ransomware variant, is designed to take advantage of four recently disclosed vulnerabilities in Microsoft Exchange. Once it gains access to a computer, it encrypts the files stored there, making them impossible to access without the corresponding decryption key (which is known only to the attackers).
In March 2021, Microsoft released patches for four critical vulnerabilities within Microsoft Exchange servers. These vulnerabilities were actively exploited in a variety of attack campaigns. DearCry is a ransomware variant designed to exploit these vulnerable Microsoft Exchange servers.
The malware performs drive enumeration to identify all accessible storage media from an infected machine. For each of these drives, the DearCry ransomware will encrypt certain types of files (based on file extensions) using AES and RSA-2048. After encryption is complete, DearCry will display a ransom note instructing users to email the ransomware operators to learn how to decrypt their machines.
When the DearCry ransom note is displayed, the damage has already been done. The best way to respond to DearCry – or any type of ransomware – is to detect and block the ransomware before data encryption can begin.
Deploying anti-ransomware protections is the most effective method of accomplishing this. Tools like Check Point’s Threat Emulation use behavioral analytics to identify the warning signs of a ransomware attack, enabling the user to remediate the threat before any damage is done. Because all ransomware needs to perform certain actions (like encrypting files) to accomplish its goals, this approach is effective against all types of ransomware.
However, protections targeted toward a specific type of ransomware can help to improve the speed and effectiveness of an organization’s response. Besides the generic Threat Emulation protection for ransomware (which successfully blocks DearCry), Check Point has released two dedicated protections for the following products:
These dedicated detection tools make it quicker and easier to detect and eradicate a potential DearCry infection on an organization’s systems.
For protecting against the DearCry ransomware, targeted protections (like the ones deployed in Threat Emulation and Harmony Endpoint) are the most effective solutions for an active attack. More general ransomware protections can also detect this threat and are vital for identifying and blocking zero-day ransomware attacks.
However, organizations should implement defense-in-depth to minimize the potential cost and impact of ransomware attacks. Some best practices for ransomware prevention include:
The ransomware threat landscape is constantly evolving. DearCry is one of the newest iterations of a threat that has existed for years, and it exploits recently discovered vulnerabilities in a widely used product. Organizations require targeted anti-ransomware solutions capable of keeping up with and mitigating the latest ransomware threats.
Ransomware attacks the endpoint, so the endpoint should be the focus of any anti-ransomware strategy. Check Point’s Harmony Endpoint is a complete endpoint security solution that offers comprehensive protection against ransomware, including both general behavior-based detection and protections targeted to specific variants.
Its threat hunting support – mapped to the MITRE ATT&CK framework – also enables an organization’s security team to proactively search for and investigate potential threats and incursions within its network. To learn more about threat hunting with Harmony Endpoint, check out this walkthrough.
Harmony Endpoint provides comprehensive protection against threats like the DearCry ransomware. To learn more about its capabilities, check out this product tour. You’re also welcome to request a personalized demo to see the power of Harmony Endpoint for yourself.