According to SC Magazine, Microsoft confirmed “a new family of ransomware being used after an initial compromise of unpatched on-premises Exchange Servers,” via its Security Intelligence Twitter account.

The ransomware, called DoejoCrypt or DearCry, appears to be the latest threat associated with not patching the Hafnium Exchange Server vulnerabilities Microsoft first announced last week.

DoejoCrypt was first noticed on Thursday by researcher Michael Gillespie as attacking Exchange Server, with the connection to the Hafnium vulnerabilities quickly speculated.

Microsoft announced that a state-sponsored actor located in China breached on-premises Exchange Servers on Tuesday, March 2, the same day it issued a patch. The company named that hacker group Hafnium. Since then the number of clusters of distinct hacker activity researchers identified as taking advantage of those Exchange Server vulnerabilities has rapidly expanded. At least 30,000 servers have been breached.

The security vendor ESET announced earlier this week that it saw 10 clusters of activity, many of which it traced back to distinct advanced persistent threats believed to be Chinese state-sponsored groups. Only one of the 10 clusters appeared to be criminally motivated, rather than motivated by espionage. That cluster was installing cryptominer malware.

Microsoft says Microsoft Defender will protect against DoejoCrypt, and customers receiving automatic updates will already be protected.

Since first announcing the patch to the Hafnium vulnerabilities, Microsoft has emphasized the critical need to install the update it.


SpearTip’s cyber experts have been working diligently to respond to threats revolving around the Microsoft Exchange server vulnerabilities. Dealing with zero-day vulnerabilities is difficult because there isn’t much available threat intelligence initially. The collaboration within the Security Operations Center is what allows us to effectively respond to new threats and protect our partners.

Ransomware adds another level to the already critical situation. As mentioned above, 30,000 servers have been affected, and it’s likely many more will be discovered as time goes on. Allow our certified professionals to analyze your network and protect you from these threats.

SpearTip’s cyber experts continuously monitor environments 24/7 in our US based Security Operations Center. Our certified engineers work in unison with our proprietary endpoint detection and response tool, ShadowSpear®. This allows your organization to have a direct communication with our engineers at any moment and a completely transparent view of your risk profile.

If you think your organization has been affected by the vulnerabilities or if you have questions, call our Security Operations Center at 833.997.7327.