Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities

Cyber Security News

Microsoft flagship store in London. The company confirmed a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. (Microsoft)

Microsoft confirmed “a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” via its Security Intelligence Twitter account.

The ransomware, called DoejoCrypt or DearCry, appears to be the latest threat associated with not patching the Hafnium Exchange Server vulnerabilities Microsoft first announced last week.

DoejoCrypt was first noticed on Thursday by researcher Michael Gillespie as attacking Exchange Server, with the connection to the Hafnium vulnerabilities quickly speculated.

Microsoft announced that a state-sponsored actor located in China breached on-premises Exchange Servers on Tuesday, March 2, the same day it issued a patch. The company named that hacker group Hafnium. Since then the number of clusters of distinct hacker activity researchers identified as taking advantage of those Exchange Server vulnerabilities has rapidly expanded. At least 30,000 servers have been breached.

The security vendor ESET announced earlier this week that it saw 10 clusters of activity, many of which it traced back to distinct advanced persistent threats believed to be Chinese state-sponsored groups. Only one of the 10 clusters appeared to be criminally motivated, rather than motivated by espionage. That cluster was installing cryptominer malware.

Microsoft says Microsoft Defender will protect against DoejoCrypt, and customers receiving automatic updates will already be protected.

Since first announcing the patch to the Hafnium vulnerabilities, Microsoft has emphasized the critical need to install the update it.