Sophos has published the ‘Black Kingdom Ransomware Begins Appearing on Exchange Servers’, detailing a ransomware that has been targeting Exchange servers that remain unpatched against the ProxyLogon vulnerabilities just after DearCry and Hafnium attacks.
Some of the key findings of the Black kingdom ransomware are summarized in the following commentary from Mark Loman, a ransomware expert at Sophos and director, engineering technology office.
He notes that it’s been three weeks since the release of security patches for the ProxyLogon vulnerabilities, and adversaries are racing against time to target still unpatched Exchange servers.
“As we saw with DearCry ransomware, this can lead to the release of prototype, rushed or poor quality code created by less experienced developers. Today we report on another example of this, perpetrated by the operators behind Black Kingdom ransomware,” says Mark Loman.
The Black Kingdom ransomware targeting unpatched Exchange servers has all the hallmarks of being created by a motivated script-kiddie. The encryption tools and techniques are imperfect but the ransom of USD 10,000 in bitcoin is low enough to be successful.
Every threat should be taken seriously, even seemingly low-quality ones.
“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. In addition, the Exchange server should be scanned for web shells that allow attackers to run commands on the server. If this is not possible, the server should be disconnected from the internet or closely monitored by a threat response team,” concludes Loman.