HAFNIUM

Recently Microsoft Exchange Servers were targeted by a brand new piece of malware that is being tracked under the alias DearCry Ransomware. Its creators are clearly fans of the infamous WannaCry Ransomware, but, thankfully, they are not close to being as skilled as the developers of the most dangerous file-encryption Trojan in recent years. Regardless of this, the DearCry Ransomware is still a very dangerous threat, and its development has been attributed to a cybercrime organization tracked under the alias HAFNIUM.

HAFNIUM is believed to be a state-sponsored threat actor operating from China. Their attacks frequently target US-based companies operating in various sectors – education, law, medical, defense contractors, and more. The criminals usually rely on publicly available tools to execute their attacks, and they even use public services to exfiltrate stolen data – in the past, they have relied on the MEGA file-sharing service to store stolen information. The DearCry Ransomware used by the HAFNIUM group is considered to be impossible to decrypt, and its victims may only be able to recover their files by restoring them from a backup.

Previous HAFNIUM campaigns involved the use of a public utility known as PowerCat – it is meant to be used for penetration-testing by trusty researchers, but cybercriminals like the HAFNIUM group have adopted it as well. The PowerCat utility was usually deployed as a second-stage payload, which allowed attackers to exfiltrate data, deploy additional malware, and tamper with system settings.

The newly identified DearCry Ransomware shows that the HAFNIUM hackers are on their way to exploring other malware families, as well as developing their custom threats. Companies and individuals can protect their systems/networks from HAFNIUM's attacks by using up-to-date antivirus software, as well as by applying the latest updates and patches to all of their software.