Malware, Patch/Configuration Management, Ransomware, Vulnerability Management

Ransomware may be targeting Microsoft’s Hafnium Exchange Server vulnerabilities

Microsoft flagship store in London. (Microsoft)

Microsoft confirmed "a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers," via its Security Intelligence Twitter account.

The ransomware, called DoejoCrypt or DearCry, appears to be the latest threat associated with not patching the Hafnium Exchange Server vulnerabilities Microsoft first announced last week.

DoejoCrypt was first noticed on Thursday by researcher Michael Gillespie as attacking Exchange Server, with the connection to the Hafnium vulnerabilities quickly speculated.

Microsoft announced that a state-sponsored actor located in China breached on-premises Exchange Servers on Tuesday, March 2, the same day it issued a patch. The company named that hacker group Hafnium. Since then the number of clusters of distinct hacker activity researchers identified as taking advantage of those Exchange Server vulnerabilities has rapidly expanded. At least 30,000 servers have been breached.

The security vendor ESET announced earlier this week that it saw 10 clusters of activity, many of which it traced back to distinct advanced persistent threats believed to be Chinese state-sponsored groups. Only one of the 10 clusters appeared to be criminally motivated, rather than motivated by espionage. That cluster was installing cryptominer malware.

Microsoft says Microsoft Defender will protect against DoejoCrypt, and customers receiving automatic updates will already be protected.

Since first announcing the patch to the Hafnium vulnerabilities, Microsoft has emphasized the critical need to install the update it.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.