When Microsoft revealed earlier this month that Chinese spies had gone on a historic hacking spree, observers reasonably feared that other criminals would soon ride that group’s coattails. In fact, it didn’t take long: A new strain of ransomware called DearCry attacked Exchange servers using the same vulnerabilities as early as March 9. While DearCry was first on the scene, on closer inspection it has turned out to be a bit of an odd cybercrime duck.
It’s not that DearCry is uniquely sophisticated. In fact, compared to the slick operations that permeate the world of ransomware today, it’s practically crude. It’s bare-bones, for one, eschewing a command-and-control server and automated countdown timers in favor of direct human interaction. It lacks basic obfuscation techniques that would make it harder for network defenders to spot and preemptively block. It also encrypts certain file types that make it harder for a victim to operate their computer at all, even to pay the ransom.
“Normally a ransomware attacker would not encrypt executables or DLL files, because it further hinders the victim from using the computer, beyond not being able to access the data,” says Mark Loman, director of engineering for next-gen technologies at security company Sophos. “The attacker might want to allow the victim to use the computer to transfer the bitcoins.”
One other wrinkle: DearCry shares certain attributes with WannaCry, the notorious ransomware worm that spread out of control in 2017 until security researcher Marcus Hutchins discovered a “kill switch” that neutered it in an instant. There’s the name, for one. While not a worm, DearCry does share certain behavioral aspects with WannaCry. Both make a copy of a targeted file before overwriting it with gibberish. And the header that DearCry adds to compromised files mirrors that of WannaCry in certain ways.
The parallels are there, but likely not worth reading very much into. “It’s not at all uncommon for ransomware devs to use snippets of other, more famous ransomware in their own code,” says Brett Callow, threat analyst at antivirus company Emsisoft.
What’s unusual, Callow says, is that DearCry seems to have gotten off to a quick start before fizzling out, and that the bigger players in the ransomware space have seemingly not yet jumped on the Exchange server vulnerabilities themselves.
There’s certainly a disconnect at play. The hackers behind DearCry made remarkably quick work at reverse engineering the China hack exploit, but they seem not particularly adept at making ransomware. The explanation may simply be a matter of applicable skill sets. “The development and weaponization of exploits is a very different craft than malware development,” says Jeremy Kennelly, senior manager of analysis at Mandiant Threat Intelligence. “It may simply be that the actors who have very quickly weaponized that exploit are simply not plugged into the cybercrime ecosystem in the same way some others are. They may not have access to any of these big affiliate programs, these more robust ransomware families.”
Think of it as the difference between a grill master and a pastry chef. Both make their living in the kitchen, but they have appreciably different skills. If you’re used to steak but desperately need to make a petit four, chances are you’ll come up with something edible but not very elegant.
When it comes to DearCry’s deficiencies, Loman says, “It makes us believe that this threat is actually created by a beginner or this is a prototype of a new ransomware strain.”
Which doesn’t mean it’s not dangerous. “The encryption algorithm does seem to be sound, it does seem to function,” says Kennelly, who has examined the malware’s code but has not dealt directly with an infection. “That's really all it needs to do.”
And DearCry’s deficiencies, such as they are, would be relatively easy to fix. “Ransomware usually evolves over time,” says Callow. “If there are problems in the coding, they gradually fix it. Or sometimes quickly fix it.”
If nothing else, DearCry serves as a harbinger of the risks to come. Security firm Kryptos Logic found 22,731 web shells in a recent scan of Microsoft Exchange servers, each of which represents an opportunity for hackers to drop their own malware. DearCry may have been the first ransomware to leverage China’s big hack, but it almost certainly won’t be the worst.