Your hacker Blog

Black Kingdom ransomware is targeting Microsoft Exchange servers

Security experts reported that a second ransomware gang, named Black Kingdom, is targeting Microsoft Exchange servers.

After the public disclosure of ProxyLogon vulnerabilities, multiple threat actors started targeting vulnerable Microsoft Exchange servers exposed online. The first ransomware gang exploiting the above issues in attacks in the wild was a group tracked as DearCry.

Last crew in order of time exploiting recently disclosed flaws in Microsoft Exchange servers is a ransomware gang named Black Kingdom.

Black Kingdom ransomware was first spotted in late February 2020 by security researcher GrujaRS, the ransomware encrypts files and appends the .DEMON extension to filenames of the encrypted documents. In June 2020, Black Kingdom ransomware operators started targeting organizations using unpatched Pulse Secure VPN software to deploy their malware.

Now the group, leveraging the availability online for the ProxyLogon PoC exploit code, expanded its operations targeting vulnerable Exchange mail servers.

The popular researchers Marcus Hutchins first reported the activity of the Black Kingdom group.

Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom not to every directory. pic.twitter.com/POYlPYGjsz— MalwareTech (@MalwareTechBlog) March 21, 2021The expert pointed out that the ransomware gang was dropping a ransom note on vulnerable installs demanding a payment of $10,000 worth of Bitcoin, but for unknown reasons, the files were not encrypted. Unfortunately, according to security experts, the group now fixed its problems and is able to encrypt the files on compromised Exchange servers.

BlackKingdom ransomware on my personal servers. It does indeed encrypt files. They exclude c:windows, however my storage drivers were in a different folder and it encrypted those… meaning the server doesn’t boot any more. If you’re reading BlackKingdom, exclude *.sys files pic.twitter.com/nUVUJTbcGO— Kevin Beaumont (@GossiTheDog) March 23, 2021If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}

try {
window._mNHandle.queue.push(function (){
window._mNDetails.loadTag(“816788371”, “300×250”, “816788371”);
});
}
catch (error) {}
Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft Exchange)

The post Black Kingdom ransomware is targeting Microsoft Exchange servers appeared first on Security Affairs.