Microsoft Exchange servers compromised in a first round of attacks are infected for the second time by a gang of ransomware trying to profit from a rash of exploits that captured organizations around the world.
Ransomware – known as Black Kingdom, DEMON and DemonWare ̵
The hackers behind these attacks installed a web shell that allowed anyone who knew the URL to fully control the compromised servers. Black Kingdom was discovered last week by security firm SpearTip. Marcus Hutchins, security researcher at security firm Kryptos Logic, reported on Sunday that malicious software did not actually encrypt files.
Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it does not appear to encrypt files, only ransom does not escape to all directories. pic.twitter.com/POYlPYGjsz
– MalwareTech (@MalwareTechBlog) March 21, 2021
On Tuesday morning, Microsoft Threat Intelligence Analyst Kevin Beaumont reported that a Black Kingdom attack “actually encrypts files.
BlackKingdom ransom on my personal servers. It actually encrypts files. They exclude c: windows, but my storage drivers were in a different folder and it encrypted them … which means the server is no longer running. If you are reading BlackKingdom, exclude * .sys files pic.twitter.com/nUVUJTbcGO
– Kevin Beaumont (@GossiTheDog) March 23, 2021
Security firm Arete also announced Black Kingdom attacks on Monday.
Black Kingdom was discovered in June last year by the security company RedTeam. Ransomware addressed servers that failed to fix a critical vulnerability in Pulse VPN software. Black Kingdom also made an appearance at the beginning of last year.
Brett Callow, a security analyst at Emsisoft, said it was not clear why one of the latest Black Kingdom attacks failed to encrypt data.
“The original version encrypted files, while a subsequent version just renamed them,” he wrote in an email. – Whether both versions are used at the same time is not clear. It is also not clear why they changed their code – perhaps because the process of renaming (false encryption) would not be detected or blocked by security products? “
He added that a version of the ransom uses an encryption method that in many cases makes it possible to recover data without paying a ransom. He requested that the method not be detailed to prevent ransom operators from fixing the error.
Patching is not enough
Neither Arete nor Beaumont said whether Black Kingdom attacks affected servers that had not yet installed Microsoft’s emergency update, or whether the attackers simply took over poorly protected shell shells previously installed by another group.
Two weeks ago, Microsoft reported that a separate strain of ransom called DearCry took hold of servers that had been infected by Hafnium. Hafnium is the name the company gave to state-sponsored hackers in China who were the first to use ProxyLogon, the name given to a chain of exploits that gain full control over vulnerable Exchange servers.
However, security firm SpearTip said the ransomware was targeted at servers “after first exploiting available Microsoft vulnerabilities.” The group that installs the competing DearCry ransomware also has a backpack.
The Black Kingdom comes as the number of vulnerable servers in the United States drops to less than 10,000, according to Politico, who quoted a spokesman for the National Security Council. There were about 120,000 vulnerable systems earlier this month.
As the subsequent ransomware attacks emphasize, updating servers is nowhere near a complete solution to the ongoing Exchange server crisis. Even when servers receive the security updates, they can still be infected with ransom if there are any scams.
Microsoft encourages affected organizations that do not have experienced security professionals to run this one-click restriction script.