<style>/*<link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3589136026507255572&zx=eade4ae4-2c1e-4ba4-b308-2df48e9fbda9' media='none' onload='if(media!='all')media='all'' rel='stylesheet'/><noscript><link href='https://www.blogger.com/dyn-css/authorization.css?targetBlogID=3589136026507255572&zx=eade4ae4-2c1e-4ba4-b308-2df48e9fbda9' rel='stylesheet'/></noscript>
<meta name='google-adsense-platform-account' content='ca-host-pub-1556223355139109'/>
<meta name='google-adsense-platform-domain' content='blogspot.com'/>

<script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-2831139136270004&host=ca-host-pub-1556223355139109" crossorigin="anonymous"></script>

<!-- data-ad-client=ca-pub-2831139136270004 -->

<link rel="stylesheet" href="https://fonts.googleapis.com/css2?display=swap&family=Roboto&family=Open+Sans&family=Consolas&family=Source+Sans+Pro&family=Raleway"></head><body>*/</style>

Dearcry ransomware Targets Microsoft Exchange

dearcry ransomware, dearcry malware, dearcry ransomware ioc, dearcry exchange, dearcry ransomware exchange, ransomware

Microsoft has confirmed that a threat actor is exploiting vulnerabilities in ProxyLogon to install ransomware on unpatched Microsoft Exchange email servers and encrypt their content.

When Dearcry ransomware released?

The attacks have occurred since at least Tuesday, March 9, and were discovered after victim organizations uploaded copies of the ransom note to ID-Ransomware, a web-based tool to identify the name of the ransomware chain that encrypted the victim's systems.

What Dearcry ransomware can do?

It makes a service (named "msupdate" ) that is being used to start the encryption that can generate ".CRYPT" extension coming from IPs of Exchange servers from US, CA, AU on quick look.

DEARCRY ransomware name chosen based on a file marker found inside encrypted files; however, Microsoft Defender will also detect it as Ransom:Win32/DoejoCrypt.A.

Microsoft said "We have detected and are now blocking a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers. Microsoft protects against this threat known as Ransom:Win32/DoejoCrypt.A, and also as DearCry."

<style>/*
<script type="text/javascript" src="https://www.blogger.com/static/v1/widgets/3576124627-widgets.js"></script>
<script type='text/javascript'>
window['__wavt'] = 'AOuZoY59zppTpXohJuvFvXpnvR0DYkwz1Q:1726923049543';_WidgetManager._Init('//www.blogger.com/rearrange?blogID\x3d3589136026507255572','//mango-school.blogspot.com/2021/03/dearcry-is-spreading-like-wildfire-via.html','3589136026507255572');
_WidgetManager._SetDataContext([{'name': 'blog', 'data': {'blogId': '3589136026507255572', 'title': 'Mango School for Information Technology and Cyber Security', 'url': 'https://mango-school.blogspot.com/2021/03/dearcry-is-spreading-like-wildfire-via.html', 'canonicalUrl': 'https://mango-school.blogspot.com/2021/03/dearcry-is-spreading-like-wildfire-via.html', 'homepageUrl': 'https://mango-school.blogspot.com/', 'searchUrl': 'https://mango-school.blogspot.com/search', 'canonicalHomepageUrl': 'https://mango-school.blogspot.com/', 'blogspotFaviconUrl': 'https://mango-school.blogspot.com/favicon.ico', 'bloggerUrl': 'https://www.blogger.com', 'hasCustomDomain': false, 'httpsEnabled': true, 'enabledCommentProfileImages': true, 'gPlusViewType': 'FILTERED_POSTMOD', 'adultContent': false, 'analyticsAccountNumber': '', 'encoding': 'UTF-8', 'locale': 'en', 'localeUnderscoreDelimited': 'en', 'languageDirection': 'ltr', 'isPrivate': false, 'isMobile': false, 'isMobileRequest': false, 'mobileClass': '', 'isPrivateBlog': false, 'isDynamicViewsAvailable': true, 'feedLinks': '\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - Atom\x22 href\x3d\x22https://mango-school.blogspot.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - RSS\x22 href\x3d\x22https://mango-school.blogspot.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/3589136026507255572/posts/default\x22 /\x3e\n\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22Mango School for Information Technology and Cyber Security - Atom\x22 href\x3d\x22https://mango-school.blogspot.com/feeds/5378190808780067375/comments/default\x22 /\x3e\n', 'meTag': '', 'adsenseClientId': 'ca-pub-2831139136270004', 'adsenseHostId': 'ca-host-pub-1556223355139109', 'adsenseHasAds': true, 'adsenseAutoAds': true, 'boqCommentIframeForm': true, 'loginRedirectParam': '', 'view': '', 'dynamicViewsCommentsSrc': '//www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js', 'dynamicViewsScriptSrc': '//www.blogblog.com/dynamicviews/bea942728df245a5', 'plusOneApiSrc': 'https://apis.google.com/js/platform.js', 'disableGComments': true, 'interstitialAccepted': false, 'sharing': {'platforms': [{'name': 'Get link', 'key': 'link', 'shareMessage': 'Get link', 'target': ''}, {'name': 'Facebook', 'key': 'facebook', 'shareMessage': 'Share to Facebook', 'target': 'facebook'}, {'name': 'BlogThis!', 'key': 'blogThis', 'shareMessage': 'BlogThis!', 'target': 'blog'}, {'name': 'Twitter', 'key': 'twitter', 'shareMessage': 'Share to Twitter', 'target': 'twitter'}, {'name': 'Pinterest', 'key': 'pinterest', 'shareMessage': 'Share to Pinterest', 'target': 'pinterest'}, {'name': 'Email', 'key': 'email', 'shareMessage': 'Email', 'target': 'email'}], 'disableGooglePlus': true, 'googlePlusShareButtonWidth': 0, 'googlePlusBootstrap': '\x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e'}, 'hasCustomJumpLinkMessage': true, 'jumpLinkMessage': 'Read-more \xbb', 'pageType': 'item', 'postId': '5378190808780067375', 'postImageThumbnailUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8SoYksA3OPyyvqPMht16DKb8X2fUtku0IvhHukgZAWiHSKnMjI6ApjL5varScxVC2H5BhtGstgdPKZrlDCOW2bsEMIc59AGigk6-8FJ9CLQxmuUxq77IjYa0-DJ0ID3MPcz3rXXjr8FWU/s72-w640-c-h360/dearcry.jpg', 'postImageUrl': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8SoYksA3OPyyvqPMht16DKb8X2fUtku0IvhHukgZAWiHSKnMjI6ApjL5varScxVC2H5BhtGstgdPKZrlDCOW2bsEMIc59AGigk6-8FJ9CLQxmuUxq77IjYa0-DJ0ID3MPcz3rXXjr8FWU/w640-h360/dearcry.jpg', 'pageName': 'Dearcry ransomware Targets Microsoft Exchange', 'pageTitle': 'Mango School for Information Technology and Cyber Security: Dearcry ransomware Targets Microsoft Exchange', 'metaDescription': 'Microsoft has confirmed that a threat actor is exploiting vulnerabilities in ProxyLogon to install ransomware on unpatched Microsoft Exchange email...'}}, {'name': 'features', 'data': {}}, {'name': 'messages', 'data': {'edit': 'Edit', 'linkCopiedToClipboard': 'Link copied to clipboard!', 'ok': 'Ok', 'postLink': 'Post Link'}}, {'name': 'template', 'data': {'name': 'custom', 'localizedName': 'Custom', 'isResponsive': true, 'isAlternateRendering': false, 'isCustom': true}}, {'name': 'view', 'data': {'classic': {'name': 'classic', 'url': '?view\x3dclassic'}, 'flipcard': {'name': 'flipcard', 'url': '?view\x3dflipcard'}, 'magazine': {'name': 'magazine', 'url': '?view\x3dmagazine'}, 'mosaic': {'name': 'mosaic', 'url': '?view\x3dmosaic'}, 'sidebar': {'name': 'sidebar', 'url': '?view\x3dsidebar'}, 'snapshot': {'name': 'snapshot', 'url': '?view\x3dsnapshot'}, 'timeslide': {'name': 'timeslide', 'url': '?view\x3dtimeslide'}, 'isMobile': false, 'title': 'Dearcry ransomware Targets Microsoft Exchange', 'description': 'Microsoft has confirmed that a threat actor is exploiting vulnerabilities in ProxyLogon to install ransomware on unpatched Microsoft Exchange email...', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8SoYksA3OPyyvqPMht16DKb8X2fUtku0IvhHukgZAWiHSKnMjI6ApjL5varScxVC2H5BhtGstgdPKZrlDCOW2bsEMIc59AGigk6-8FJ9CLQxmuUxq77IjYa0-DJ0ID3MPcz3rXXjr8FWU/w640-h360/dearcry.jpg', 'url': 'https://mango-school.blogspot.com/2021/03/dearcry-is-spreading-like-wildfire-via.html', 'type': 'item', 'isSingleItem': true, 'isMultipleItems': false, 'isError': false, 'isPage': false, 'isPost': true, 'isHomepage': false, 'isArchive': false, 'isLabelSearch': false, 'postId': 5378190808780067375}}, {'name': 'widgets', 'data': [{'title': 'Logo', 'type': 'HTML', 'sectionId': 'header-main', 'id': 'HTML10'}, {'title': 'Icons, Dark, Search', 'type': 'LinkList', 'sectionId': 'header-main', 'id': 'LinkList10'}, {'title': 'Menu', 'type': 'LinkList', 'sectionId': 'header-main', 'id': 'LinkList11'}, {'title': 'Blog Posts', 'type': 'Blog', 'sectionId': 'blog-post', 'id': 'Blog1', 'posts': [{'id': '5378190808780067375', 'title': 'Dearcry ransomware Targets Microsoft Exchange', 'featuredImage': 'https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8SoYksA3OPyyvqPMht16DKb8X2fUtku0IvhHukgZAWiHSKnMjI6ApjL5varScxVC2H5BhtGstgdPKZrlDCOW2bsEMIc59AGigk6-8FJ9CLQxmuUxq77IjYa0-DJ0ID3MPcz3rXXjr8FWU/w640-h360/dearcry.jpg', 'showInlineAds': false}], 'footerBylines': [{'regionName': 'footer1', 'items': [{'name': 'share', 'label': ''}]}], 'allBylineItems': [{'name': 'share', 'label': ''}]}, {'title': 'Popular Posts', 'type': 'PopularPosts', 'sectionId': 'sidebar-static', 'id': 'PopularPosts10', 'posts': [{'title': 'Gujd file ransomware virus Removal Decrypt', 'id': 5638591793488345148}, {'title': 'Zzla file ransomware virus Removal Decrypt', 'id': 9089289928437659324}, {'title': 'How to recover deleted WhatsApp messages', 'id': 8893834197053935343}, {'title': 'USA bans Kaspersky - What are the reasons?', 'id': 8464110779646215258}, {'title': 'Received Toll Bay Area FasTrak Text', 'id': 6688816003895425899}]}, {'title': '#Recent Post', 'type': 'HTML', 'sectionId': 'sidebar-static', 'id': 'HTML19'}, {'title': 'Follow Mango school', 'type': 'LinkList', 'sectionId': 'footer-widget', 'id': 'LinkList14'}, {'title': 'Copyright', 'type': 'HTML', 'sectionId': 'copyright', 'id': 'HTML23'}, {'title': 'SVG Icons', 'type': 'HTML', 'sectionId': 'jet-options', 'id': 'HTML24'}]}]);
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML10', 'header-main', document.getElementById('HTML10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList10', 'header-main', document.getElementById('LinkList10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList11', 'header-main', document.getElementById('LinkList11'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_BlogView', new _WidgetInfo('Blog1', 'blog-post', document.getElementById('Blog1'), {'cmtInteractionsEnabled': false, 'lightboxEnabled': true, 'lightboxModuleUrl': 'https://www.blogger.com/static/v1/jsbin/128363787-lbx.js', 'lightboxCssUrl': 'https://www.blogger.com/static/v1/v-css/13464135-lightbox_bundle.css'}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_PopularPostsView', new _WidgetInfo('PopularPosts10', 'sidebar-static', document.getElementById('PopularPosts10'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML19', 'sidebar-static', document.getElementById('HTML19'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_LinkListView', new _WidgetInfo('LinkList14', 'footer-widget', document.getElementById('LinkList14'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML23', 'copyright', document.getElementById('HTML23'), {}, 'displayModeFull'));
_WidgetManager._RegisterWidget('_HTMLView', new _WidgetInfo('HTML24', 'jet-options', document.getElementById('HTML24'), {}, 'displayModeFull'));
</script>
</body>*/</style>