“BlackKingdom” is the newest discovered campaign that is hacking into the Microsoft Exchange server and is leveraging the ProxyLogon vulnerabilities to deploy ransomware.
Marcus Hutchins from MalwareTechBlog Tweeted saying “Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom note to every directory. According to my honeypot backlog, the same attacker ran the following script a few days prior, but it failed.”
The web attackers tried to push ransomware to Hutchins’s Honeypots but they did not become encrypted and the attempt failed. Although this attack was did not go through it doesn’t mean that the hackers have not succeeded in encrypting other software. The BlackKingdom has been able to encrypt other devices from about mid- March. So far BlackKingdom has infected victims in the US, Canada, Austria, Switzerland, Russia, France, Israel, the UK, Italy, Germany, Greece, Australia and Croatia.
When successfully deployed, the ransomware encrypts files using random extensions and then leaves a ransom note named decrypt_file.TxT. However, in his research, Hutchins found a different ransom note named ReadMe.txt which used text that is slightly different. Both ransom notes request that victims pay $10,000 in bitcoin to unencrypt their servers.
This isn’t the first time that a ransomware known as BlackKingdom has been observed in the wild. Back in June of last year, another ransomware by the same name was used to compromise corporate networks by exploiting vulnerabilities in Pulse VPN. Although it has yet to be confirmed, both versions of the BlackKingdom ransomware were written in Python.
Another ransomware known as DearCry was also used to launch attacks against Microsoft Exchange servers by exploiting the ProxyLogon vulnerabilities earlier this month.
