reader comments
7 with 7 posters participating
Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that is trying to profit from a rash of exploits that caught organizations around the world flat-footed.
The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.
Opportunity knocks
The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.
Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom not to every directory. pic.twitter.com/POYlPYGjsz
— MalwareTech (@MalwareTechBlog) March 21, 2021
On Tuesday morning, Microsoft Threat Intelligence Analyst Kevin Beaumont reported that a Black Kingdom attack “does indeed encrypt files.
BlackKingdom ransomware on my personal servers. It does indeed encrypt files. They exclude c:windows, however my storage drivers were in a different folder and it encrypted those… meaning the server doesn’t boot any more. If you’re reading BlackKingdom, exclude *.sys files pic.twitter.com/nUVUJTbcGO
— Kevin Beaumont (@GossiTheDog) March 23, 2021
Security firm Arete on Monday also disclosed Black Kingdom attacks.
Black Kingdom was spotted last June by security firm RedTeam. The ransomware was taking hold of servers that failed to patch a critical vulnerability in the Pulse VPN software. Black Kingdom also made an appearance at the beginning of last year.
according to Politico, which cited a National Security Council spokesperson. There were about 120,000 vulnerable systems earlier this month.
As the follow-on ransomware attacks underscore, patching servers isn’t anywhere near a full solution to the ongoing Exchange server crisis. Even when severs receive the security updates, they can still be infected with ransomware if any web shells remain.
Microsoft is urging affected organizations that don’t have experienced security staff to run this one-click mitigation script.
