DearCry Ransomware

DearCry, a ransomware variant, is designed to take advantage of four recently disclosed vulnerabilities in Microsoft Exchange. Once it gains access to a computer, it encrypts the files stored there, making them impossible to access without the corresponding decryption key (which is known only to the attackers).

Request a Demo

How Does DearCry Ransomware Work?

In March 2021, Microsoft released patches for four critical vulnerabilities within Microsoft Exchange servers. These vulnerabilities were actively exploited in a variety of attack campaigns. DearCry is a ransomware variant designed to exploit these vulnerable Microsoft Exchange servers.

 

The malware performs drive enumeration to identify all accessible storage media from an infected machine. For each of these drives, the DearCry ransomware will encrypt certain types of files (based on file extensions) using AES and RSA-2048. After encryption is complete, DearCry will display a ransom note instructing users to email the ransomware operators to learn how to decrypt their machines.

How To Protect Against DearCry Ransomware

When the DearCry ransom note is displayed, the damage has already been done. The best way to respond to DearCry – or any type of ransomware – is to detect and block the ransomware before data encryption can begin.

 

Deploying anti-ransomware protections is the most effective method of accomplishing this. Tools like Check Point’s Threat Emulation use behavioral analytics to identify the warning signs of a ransomware attack, enabling the user to remediate the threat before any damage is done. Because all ransomware needs to perform certain actions (like encrypting files) to accomplish its goals, this approach is effective against all types of ransomware.

 

However, protections targeted toward a specific type of ransomware can help to improve the speed and effectiveness of an organization’s response. Besides the generic Threat Emulation protection for ransomware (which successfully blocks DearCry), Check Point has released two dedicated protections for the following products:

 

 

These dedicated detection tools make it quicker and easier to detect and eradicate a potential DearCry infection on an organization’s systems.

Ransomware Prevention Best Practices

For protecting against the DearCry ransomware, targeted protections (like the ones deployed in Threat Emulation and Harmony Endpoint) are the most effective solutions for an active attack. More general ransomware protections can also detect this threat and are vital for identifying and blocking zero-day ransomware attacks.

 

However, organizations should implement defense-in-depth to minimize the potential cost and impact of ransomware attacks. Some best practices for ransomware prevention include:

 

  • Patch Management: The DearCry ransomware exploits critical vulnerabilities in Microsoft Exchange servers. Keeping devices patched and up-to-date is essential for minimizing the potential entry vectors that an attacker can take advantage of.
  • Employee Education: Ransomware is commonly delivered via phishing and other techniques that take advantage of employees. Training employees to recognize and properly respond to these types of attacks can dramatically reduce an organization’s risk of ransomware and other types of attacks.
  • Email Security: Email is a leading infection vector for all types of malware, including ransomware. An email security solution can use machine learning and sandbox emulation to identify and remove malicious content from emails before it reaches the user’s inbox.
  • Secure Remote Access: The COVID-19 pandemic made virtual private networks (VPNs) and the remote desktop protocol (RDP) some of the most popular delivery mechanisms for ransomware. Securing an organization’s telework infrastructure can help to block this potential attack vector.
  • Endpoint Security: Ransomware can be delivered via a variety of media. An endpoint security solution capable of detecting and blocking ransomware and other types of malicious content can help to minimize an organization’s exposure to these threats.

Blocking Ransomware Attacks with Check Point

The ransomware threat landscape is constantly evolving. DearCry is one of the newest iterations of a threat that has existed for years, and it exploits recently discovered vulnerabilities in a widely used product. Organizations require targeted anti-ransomware solutions capable of keeping up with and mitigating the latest ransomware threats.

 

Ransomware attacks the endpoint, so the endpoint should be the focus of any anti-ransomware strategy. Check Point’s Harmony Endpoint is a complete endpoint security solution that offers comprehensive protection against ransomware, including both general behavior-based detection and protections targeted to specific variants.

 

Its threat hunting support – mapped to the MITRE ATT&CK framework – also enables an organization’s security team to proactively search for and investigate potential threats and incursions within its network. To learn more about threat hunting with Harmony Endpoint, check out this walkthrough.

 

Harmony Endpoint provides comprehensive protection against threats like the DearCry ransomware. To learn more about its capabilities, check out this product tour. You’re also welcome to request a personalized demo to see the power of Harmony Endpoint for yourself.

Recommended Resources



×
  Feedback
This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO