When Microsoft revealed earlier this month Chinese spies had gone on a historical hacking, observers reasonably feared that other criminals would soon ride the pigtails of this group. In fact, it didn’t take long: a new strain of ransomware called DearCry attacked Exchange servers using the same vulnerabilities from the start. March 9. While DearCry was the first on the scene, on closer inspection he turned out to be a bit of a weird cybercrime duck.
It’s not that DearCry is particularly sophisticated. In fact, compared to clever operations that permeate the world of ransomware today it is practically rude. It’s simple, on the other hand, to avoid a command-and-control server and automated countdown timers in favor of direct human interaction. It lacks basic obfuscation techniques that would make it more difficult to detect and preventively block network defenders. It also encrypts some types of files which make it harder for a victim to use their computer even to pay the ransom.
“Normally, a ransomware attacker would not encrypt executables or DLL files, as this further prevents the victim from using the computer, beyond not being able to access the data,” says Mark Loman, director of the engineering for next-generation technologies at security company Sophos. “The attacker may want to allow the victim to use the computer to transfer the bitcoins.”
Another wrinkle: DearCry shares some attributes with Want to cry, the infamous ransomware worm that spread uncontrollably in 2017 to the security researcher Marcus Hutchins discovered a “kill switch” who castrated him in an instant. That’s the name, for one. Although not a worm, DearCry does share some behavioral aspects with WannaCry. Both make a copy of a targeted file before overwriting it with gibberish. And the header that DearCry adds to compromised files mirrors that of WannaCry in some ways.
The parallels are there, but they are probably not worth reading. “It’s not at all uncommon for ransomware developers to use snippets of other more well-known ransomware in their own code,” said Brett Callow, threat analyst at anti-virus company Emsisoft.
What’s unusual, Callow says, is that DearCry appears to have started quickly before shutting down, and the bigger players in the ransomware space apparently haven’t hopped on the Exchange server vulnerabilities yet.
There’s certainly a disconnect involved. The hackers behind DearCry did a remarkably quick job of reverse-engineering the Chinese hack exploit, but they don’t seem particularly adept at creating ransomware. The explanation may simply be a matter of applicable skill sets. “Developing and militarizing exploits is a very different job from developing malware,” says Jeremy Kennelly, senior director of analysis at Mandiant Threat Intelligence. “It may simply be that the actors who very quickly militarized this feat are simply not connected to the cybercrime ecosystem the same way others are. They might not have access to any of these big affiliate programs, these more robust ransomware families. “
Think of it as the difference between a grill master and a pastry chef. Both make a living in the kitchen, but they have significantly different skills. If you’re used to steak but desperately need a small oven, there’s a good chance you’ll find something edible but not very fancy.
Regarding DearCry’s shortcomings, Loman says, “It makes us believe that this threat is actually created by a newbie or that it is a prototype of a new strain of ransomware.”
Which doesn’t mean it’s not dangerous. “The encryption algorithm appears to be strong, it seems to work,” says Kennelly, who examined the malware code but did not deal with an infection directly. “That’s really all he has to do.”