Microsoft’s researchers discovered Black Kingdom web shells deployed on 1,500 Exchange servers. The malware is tracked as Pydomer by Microsoft.
Since March 18, ransomware identification site ID Ransomware received over 30 submissions coming directly from impacted mail services about Exchange servers successfully encrypted with Black Kingdom ransomware.
Malware analyst Marcus Hutchins was the first to spot Black Kingdom targeting Exchange servers on the weekend.
“They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available,” the Microsoft 365 Defender Threat Intelligence Team wrote in a report.
Victims are located in the US, Canada, Russia, Germany, Austria, Switzerland, France, Israel, United Kingdom, Italy, Greece, Croatia, and Australia. But Microsoft researchers said not all of the deployed ransomware managed to move to the ransomware stage.
The attackers dropped a web shell, with a notable name format: “Chack[Word][Country abbreviation].”
The attackers then used their web shell to dump a test.bat batch file that allowed them to perform a dump of the LSASS process.
Where the attackers moved to second-stage ransomware operations, they used “a Python script compiled to an executable and the Python cryptography libraries to encrypt files,” Microsoft researchers explain.
In some of the attacks, Microsoft saw that a ransom note was created even though the device was not encrypted. However, the researchers say the note should be taken seriously, as the attackers had full access to systems and likely managed to steal data.
Black Kingdom’s ransomware is the second confirmed ransomware targeting Microsoft Exchange servers with ProxyLogon flaws.
The first ransomware operation involved DearCry ransomware and started one week after Microsoft released ProxyLogon security updates.