(Image credit: https://www.bleepstatic.com/images/news/ransomware/b/blackkingdom/blackkingdom-ransom-note.jpg)
A threat actor has been targeting vulnerable Microsoft Exchange servers with a ransomware known as "Black Kingdom." This only one of the few attacks seen targeting the Exchange servers that were first exploited by a group known as Hafnium.
The exploit will use a vulnerability known as "ProxyLogon" to gain initial access to the network, and from there the attackers would steal data that they deem important such as finical records, employee information and credential databases by uploading them to a remote server.
The attackers would also move across the network, infecting and stealing data from as many machines as possible.
Once all the machines have been infected and encrypted a message will appear demanding $10,000 USD in Bitcoin to be sent to the attackers in order to unlock the files. In an attempt to persuade the victims, the attackers will even offer to decrypt one or two files that the victim sends.
Of course it is best to never pay the attackers this ransom as it shows that you are willing to pay ransoms, which means that you will be a target for future attacks and there is zero-guarantee that you will ever get your files back.
As of March 24th 2021, one person has payed the attackers the $10,000 ransom.
This is not the first time attackers have used the Black Kingdom ransomware. In June of 2020, Black Kingdom was used in an attack targeting a popular VPN software called Pulse VPN.
Black Kingdom also isn't the first ransomware to target vulnerable Exchange servers, an ransomware called "DearCry" was seen hitting victims in a similar fashion, with that attacker demanding $16,000 in Bitcoin for the release of the encrypted files.
Firestorm Cyber protects companies and organizations from ransomware threats like this one by providing advanced security and endpoint protection to stop attackers from spreading malware across your network. We also perform vulnerability scans and penetration tests to find flaws in your network and patch them so that no attackers can compromise your machines. If you want to take the next steps to protect your organization, contact us.