Microsoft Exchange servers are under attack again as a security researcher has uncovered a new campaign known as “BlackKingdom” that exploits ProxyLogon vulnerabilities to deploy ransomware.
As reported BleepingComputer, security researcher Marcus Hutchins of MalwareTechBlog detailed his finding in a series of tweets Recent, saying:
“Someone just ran this script on all vulnerable Exchange servers through ProxyLogon. It claims to be BlackKingdom ransomware, but it doesn’t seem to encrypt files, it just drops a ransom note in each directory. According to my honeypot reports, the same attacker tried to run the following script a few days earlier, but failed. “
While the attackers tried to deliver ransomware to Hutchins’ honeypots, they did not get encrypted, suggesting that he himself witnessed a failed attack.
BlackKingdom
Although the attackers tried (unsuccessfully) to encrypt Hutchin’s honeypots, reports sent to the ransomware identification site, ID Ransomware, show that BlackKingdom was able to successfully encrypt the devices of other victims in mid-March.
So far, BlackKingdom has targeted victims in the United States, Canada, Australia, Switzerland, Russia, France, Israel, the United Kingdom, Italy, Germany, Greece, Australia, and Croatia.
When successfully implemented, the ransomware encrypts files using random extensions and then leaves a ransom note called decrypt_file.TxT. However, in her research, Hutchins found a different ransom note, called ReadMe.txt, using slightly different text. Both ransom notes asked victims for $ 10,000 in bitcoins to agree to decrypt their servers.
This is not the first time that we have seen the ransomware known as BlackKingdom in its purest form. In June of last year, another ransomware with the same name was used to attack corporate networks by exploiting vulnerabilities in Pulse VPN. Although it has yet to be confirmed, both versions of the ‘BlackKingdom’ ransomware were apparently written in Python.
Another type of ransomware known as ‘DearCry’ was also used to attack Microsoft Exchange servers by exploiting vulnerabilities in ProxyLogon earlier this month.
Via BleepingComputer
–
