Site navigation

Microsoft Exchange Breach Brings New Tide of Ransomware

Michael Behr


Microsoft Exchange Breach

Now that the flaw in Microsoft Exchange is known, cybercriminals are rushing to attack unprotected systems.

A new wave of ransomware attacks taking advantage of the Microsoft Exchange breach has started to develop.

Microsoft has warned that a new strain of ransomware, dubbed DearCry or DoejoCrypt, is now targeting unpatched Exchange servers. The company released patches ahead of scheduled updates on March 2, but has said that organisations need to install them as a matter of urgency as hackers look to take advantage of the exploit.

Cybersecurity company Check Point has warned that the number of attempted attacks has increased more than tenfold – 700 were detected on March 11, with over 7,200 found on March 15.

The Microsoft Exchange breach occurred when China-based hacking group Hafnium leveraged a previously unknown zero-day flaw in Microsoft’s systems to steal data from targeted networks. In an example of a low-and-slow attack, the hackers are estimated to have had access to systems since late 2020, only escalating in recent weeks.

Microsoft has warned that, once news of the exploit was made public, additional cybercriminals would use the flaw to target ransomware attacks. Its researchers warned that at least ten hacking groups, including the China-linked group, had hit its servers.

In addition, a proof-of-concept tool to attack the Microsoft Exchange servers was published on GitHub, a Microsoft-owned code portal. The tool was removed within hours, but it means that a potential way to attack servers is now in circulation.

While patches will protect against new attacks, there are still risks that attackers who had access to systems can still use stolen information in attacks.

Microsoft has since used GitHub to release a script that allows admins to check Exchange servers to make sure their data is not being harvested. As such, running the script after installing the patches will help ensure that attackers lose access should they previously have compromised a system.

“Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artefacts,” Microsoft stated.


Cybersecurity firm Fortinet, which has been tracking the new ransomware campaign, said that the new campaign is targeting four of the Microsoft Exchange Server vulnerabilities that were previously exploited.

Fortinet warned that once the DearCry ransomware infects a computer, it creates encrypted copies of the attacked files before deleting the originals. When users try to open files, they find a readme.txt ransom note containing two email addresses along with demands for $16,000.

While most ransomware needs to connect with a hacker’s command-and-control server to receive orders to activate and begin encryption, DearCry uses a different method.

The method used to encrypt files is embedded in the malware’s code, removing the need to contact the server. Fortinet warned that this means that even Exchange Servers that only allows internet access to Exchange services will still become encrypted.

The European Banking Authority and the Norwegian Government are among the high-profile targets claiming to be affected by the breach.

The Microsoft Exchange attack could have a major impact on global business, affecting up to 250,000 organisations. According to the UK’s National Cyber Security Centre, around 7000 servers in the country were affected by the flaw, and 3000 currently remain at risk.

Such was the severity of the attack, US President Joe Biden recently announced that his administration would form a task force to investigate the attack.

Join the Debate: ScotSecure 2021

The cybersecurity challenges posed by emerging threats like SolarWinds and the Microsoft Exchange attack will be key areas of discussion at the upcoming Scot-Secure Cybersecurity Conference on March 24-25th.

Hear from leading experts from across the cybersecurity sector and explore the crucial issues.

Register your free place now at:

Michael Behr

Senior Staff Writer

Latest News

%d bloggers like this: