Home / Technology / Ransomware operators accumulate on already hacked Exchange servers

Ransomware operators accumulate on already hacked Exchange servers

A stylized ransom asks for bitcoin in exchange for stolen data.

Microsoft Exchange servers compromised in a first round of attacks are infected for the second time by a gang of ransomware trying to profit from a rash of exploits that captured organizations around the world.

Ransomware – known as Black Kingdom, DEMON and DemonWare ̵

1; requires $ 10,000 to recover encrypted data, security researchers said. Malware is installed on Exchange servers that were previously infected by attackers who exploit a critical vulnerability in Microsoft’s e-mail program. Attacks started while the vulnerability was still a zero-day one. Even after Microsoft issued an emergency patch, as many as 100,000 servers that did not install it in time became infected.

Opportunity banks

The hackers behind these attacks installed a web shell that allowed anyone who knew the URL to fully control the compromised servers. Black Kingdom was discovered last week by security firm SpearTip. Marcus Hutchins, security researcher at security firm Kryptos Logic, reported on Sunday that malicious software did not actually encrypt files.

On Tuesday morning, Microsoft Threat Intelligence Analyst Kevin Beaumont reported that a Black Kingdom attack “actually encrypts files.

Security firm Arete also announced Black Kingdom attacks on Monday.

Black Kingdom was discovered in June last year by the security company RedTeam. Ransomware addressed servers that failed to fix a critical vulnerability in Pulse VPN software. Black Kingdom also made an appearance at the beginning of last year.

Brett Callow, a security analyst at Emsisoft, said it was not clear why one of the latest Black Kingdom attacks failed to encrypt data.

“The original version encrypted files, while a subsequent version just renamed them,” he wrote in an email. – Whether both versions are used at the same time is not clear. It is also not clear why they changed their code – perhaps because the process of renaming (false encryption) would not be detected or blocked by security products? “

He added that a version of the ransom uses an encryption method that in many cases makes it possible to recover data without paying a ransom. He requested that the method not be detailed to prevent ransom operators from fixing the error.

Patching is not enough

Neither Arete nor Beaumont said whether Black Kingdom attacks affected servers that had not yet installed Microsoft’s emergency update, or whether the attackers simply took over poorly protected shell shells previously installed by another group.

Two weeks ago, Microsoft reported that a separate strain of ransom called DearCry took hold of servers that had been infected by Hafnium. Hafnium is the name the company gave to state-sponsored hackers in China who were the first to use ProxyLogon, the name given to a chain of exploits that gain full control over vulnerable Exchange servers.

However, security firm SpearTip said the ransomware was targeted at servers “after first exploiting available Microsoft vulnerabilities.” The group that installs the competing DearCry ransomware also has a backpack.

The Black Kingdom comes as the number of vulnerable servers in the United States drops to less than 10,000, according to Politico, who quoted a spokesman for the National Security Council. There were about 120,000 vulnerable systems earlier this month.

As the subsequent ransomware attacks emphasize, updating servers is nowhere near a complete solution to the ongoing Exchange server crisis. Even when servers receive the security updates, they can still be infected with ransom if there are any scams.

Microsoft encourages affected organizations that do not have experienced security professionals to run this one-click restriction script.

Source link