SentinelOne VS DearCry Ransomware (Exploits Microsoft Hafnium Exchange Vulnerabilities) Protect Mode

Watch how SentinelOne protects from DearCry – new ransomware that exploits the Microsoft Exchange (Hafnium) vulnerabilities. For more details on Hafnium: https://lnkd.in/gUSDW_j

DearCry is a new ransomware that exploits the Microsoft Exchange vulnerabilities, known as Hafnium. The ransomware appears to have been deposited via webshell access on the targeted servers. The delivery mechanisms likely extend beyond that however. See how Sentinelone protects
DearCry creates a windows service (“msupdate”) which handles the bulk of the encryption duties. A hard-coded list of extensions to queue for encryption is included, and most common filetypes are covered in said list. After encryption, affected files will have their extension changed to “.CRYPT”. Encryption is fairly straightforward, appearing to make use of AES-256 for file/data encryption, while AES key is encrypted via RSA-2048. The ransomware will attempt to enumerate all logical, and accessible, drives for encryptable data. Victims are instructed to contact the attacker via email, with two addresses being provided in the ransom note.

#Lazarus #sentinellabs #infosec #cybersecurity #cyberattack #cyber #hacking #NukeSped