After the public disclosure of ProxyLogon vulnerabilities, multiple threat actors started targeting vulnerable Microsoft Exchange servers exposed online. The first ransomware gang exploiting the above issues in attacks in the wild was a group tracked as DearCry.
Last crew in order of time exploiting recently disclosed flaws in Microsoft Exchange servers is a ransomware gang named Black Kingdom.
Black Kingdom ransomware was first spotted in late February 2020 by security researcher GrujaRS, the ransomware encrypts files and appends the .DEMON extension to filenames of the encrypted documents. In June 2020, Black Kingdom ransomware operators started targeting organizations using unpatched Pulse Secure VPN software to deploy their malware.
Now the group, leveraging the availability online for the ProxyLogon PoC exploit code, expanded its operations targeting vulnerable Exchange mail servers.
The popular researchers Marcus Hutchins first reported the activity of the Black Kingdom group.
The expert pointed out that the ransomware gang was dropping a ransom note on vulnerable installs demanding a payment of $10,000 worth of Bitcoin, but for unknown reasons, the files were not encrypted. Unfortunately, according to security experts, the group now fixed its problems and is able to encrypt the files on compromised Exchange servers.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
(SecurityAffairs – hacking, Microsoft Exchange)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.