Another ransomware company known as Black Kingdom exploits Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers. In particular, over the weekend, security researcher Marcus Hutchins, also known as MalwareTechBlog, wrote in Twitter that malicious agents were violating Microsoft Exchange servers through ProxyLogon vulnerabilities for ransomware development.
Based on the logs from honeypots Hutchins reported that malicious agents exploited the vulnerabilities to run a PowerShell script that downloads the executable ransomware from «Yuuuuu44 [.] Com» and then transfer it to other computers on the network.
Based on submissions to ransomware's ID Ransomware site, the victims' devices were encrypted as part of the Black Kingdom campaign, with the first submissions appearing on March 18th.
Michael Gillespie, creator of ID Ransomware, told BleepingComputer that his system has seen more than 30 unique submissions to his system, many of which are submitted directly from mail servers.
The victims are in Greece, the USA, Canada, Austria, Switzerland, Russia, France, Israel, the United Kingdom, Italy, Germany, Australia and Croatia..
When encrypting devices, ransomware encrypts files using random extensions and then creates a ransom note named decrypt_file.TxT. Hutchins pointed out that he saw a different ransom note with the name ReadMe.txt using different text.
BleepingComputer has seen ransom notes claiming $ 10.000 in Bitcoin and using the same Bitcoin address (1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT) for payment. This Bitcoin address received only one payment on March 18.
Another ransomware known as BlackKingdom was used in attacks that took place in June 2020, when hackers broke into corporate networks exploiting vulnerabilities in the Pulse VPN.
Although it has not been confirmed so far whether the recent attacks and those from the summer of 2020 use the same ransomware, Hutchins said the current executable ransomware is a Python script written on an executable Windows. The Black Kingdom ransomware from June 2020 was also coded in Python.
In the wake of recent attacks by Black Kingdom, cybersecurity company Emsisoft may be able to help recover files.
Black Kingdom is the second confirmed ransomware to target Microsoft Exchange ProxyLogon vulnerabilities. The first was DearCry ransomware, which was used in a limited number of attacks earlier this month.
Recently, the 6th largest electronics maker in the world "Acer" was attacked by REvil ransomware which is estimated to have been exploited by exploiting the vulnerabilities of ProxyLogon. However, this has not been confirmed so far.
Source of information: bleepingcomputer.com