Ransomware operators are piling on already hacked Exchange servers

A stylized ransom note asks for bitcoin in exchange for stolen data.reader comments

7 with 7 posters participating

Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that is trying to profit from a rash of exploits that caught organizations around the world flat-footed.

The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.

Opportunity knocks

The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.

On Tuesday morning, Microsoft Threat Intelligence Analyst Kevin Beaumont reported that a Black Kingdom attack “does indeed encrypt files.

Security firm Arete on Monday also disclosed Black Kingdom attacks.

Black Kingdom was spotted last June by security firm RedTeam. The ransomware was taking hold of servers that failed to patch a critical vulnerability in the Pulse VPN software. Black Kingdom also made an appearance at the beginning of last year.

according to Politico, which cited a National Security Council spokesperson. There were about 120,000 vulnerable systems earlier this month.

As the follow-on ransomware attacks underscore, patching servers isn’t anywhere near a full solution to the ongoing Exchange server crisis. Even when severs receive the security updates, they can still be infected with ransomware if any web shells remain.

Microsoft is urging affected organizations that don’t have experienced security staff to run this one-click mitigation script.

Article Tags:
Article Categories: