After the public disclosure of ProxyLogon vulnerabilities, multiple threat actors started targeting vulnerable Microsoft Exchange servers exposed online. The first ransomware gang exploiting the above issues in attacks in the wild was a group tracked as DearCry.
Last crew in order of time exploiting recently disclosed flaws in Microsoft Exchange servers is a ransomware gang named Black Kingdom.
Black Kingdom ransomware was first spotted in late February 2020 by security researcher GrujaRS, the ransomware encrypts files and appends the .DEMON extension to filenames of the encrypted documents. In June 2020, Black Kingdom ransomware operators started targeting organizations using unpatched Pulse Secure VPN software to deploy their malware.
Now the group, leveraging the availability online for the ProxyLogon PoC exploit code, expanded its operations targeting vulnerable Exchange mail servers.
The popular researchers Marcus Hutchins first reported the activity of the Black Kingdom group.
The expert pointed out that the ransomware gang was dropping a ransom note on vulnerable installs demanding a payment of $10,000 worth of Bitcoin, but for unknown reasons, the files were not encrypted. Unfortunately, according to security experts, the group now fixed its problems and is able to encrypt the files on compromised Exchange servers.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Microsoft Exchange)