We're gradually updating threat actor names in our reports to align with the new weather-themed taxonomy. Learn about Microsoft threat actor names
Ransom:Win32/DoejoCrypt.A
Aliases: DearCry (other)
Summary
Microsoft Defender Antivirus detects and removes this threat.
This ransomware is deployed by human operators after initially compromising the device using a malicious web shell. The web shell then creates a batch file, Trojan:BAT/Wenam.A, that allows attackers to move laterally in, and steal credentials from the compromised system. The ransomware then encrypts files, making them inaccessible.
For information about other human-operated ransomware campaigns, read these blog posts:
There is no one-size-fits-all response if you have been victimized by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
- Immediately isolate the affected device as well as any additional device with alerts for DoejoCrypt. If DoejoCrypt has been launched, it is likely that the device is under complete attacker control.
- Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts.
- Investigate how the affected endpoint might have been compromised. Check for the presence of other malware.
- Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts. Attackers often use Cobalt Strike to bring in tools such as PsExec to move laterally, and other functions to exfiltrate data. Mimikatz might have been used to harvest credentials as well as browser and web credentials via other means to enable further access.
- Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services.
Microsoft Defender Antivirus automatically removes threats as they are detected. However, many infections can leave remnant files and system changes. Updating your antimalware definitions and running a full scan might help address these remnant artifacts.
You can also visit our our advanced troubleshooting page for more help. You can also search the Microsoft virus and malware community for relevant information.
