zephyr_p - stock.adobe.com

'Black Kingdom' ransomware impacting Exchange servers

Both ransomware and scareware variants of Black Kingdom have been reported in attacks against vulnerable Exchange servers, but the reason for this remains unclear.

Another ransomware variant has been detected in attacks against Microsoft Exchange servers.

A ransomware variant called "Black Kingdom" was observed in recent days in targeted attacks against on-premises Exchange servers still exposed to the ProxyLogon vulnerability. In addition to being the latest cyber attack hitting Microsoft Exchange Server users in an ever-evolving threat, this instance of Black Kingdom is notable for apparently having both ransomware and scareware elements.

Researcher Marcus Hutchins, also known as "MalwareTech," tweeted about Black Kingdom in a Twitter thread on Sunday, reporting that an unnamed threat actor ran a script "on all vulnerable Exchange servers" that didn't actually encrypt files. Instead, it dropped a ransom note in every directory demanding $10,000 in bitcoin, which was likely intended to scare users into believing their data had been encrypted and stolen.

Hutchins added that the attacker attempted to attack his system with actual ransomware a few days later, but it failed. It's unclear why the Black Kingdom ransomware failed to execute, but Hutchins told SearchSecurity through Twitter direct message that "the malware is overall extremely poorly coded." He added that while the scareware and ransomware payload are separate, they are being deployed by the same threat actor.

"Black Kingdom switching from actual ransomware to scareware which claims your files were uploaded would suggest the ransomware wasn't working well. The bitcoin address appears to be static, and so far they've received only 1 payment in 3 days," Hutchins wrote.

Microsoft senior threat intelligence analyst Kevin Beaumont said in a Twitter thread Tuesday that based on his experience, the ransomware "does indeed encrypt files."

Arete, an incident response vendor based in West Palm Beach, Fla., also observed Black Kingdom ransomware infections on vulnerable Exchange servers. In a blog post Wednesday, Steve Ramey, director of incident response at Arete, wrote that the ransom note from Black Kingdom attackers threatened to expose stolen data on social media and news sites if victims decline to pay.

A version of Black Kingdom was first discovered in 2020 exploiting a vulnerability in Pulse Secure's VPN software. Like the ransomware reported in Hutchins' thread, the primary ransom demand was for $10,000 in bitcoin. However, that campaign was not reported to have functional issues like this new one. As such, it's unclear whether the operators or code are the same.

Black Kingdom is not the first ransomware to hit on-premises Exchange servers impacted by ProxyLogon and three other related vulnerabilities, which were disclosed and patched on March 2. DearCry, a newly discovered ransomware family, was found in attacks earlier this month.

While it is still unclear whether Black Kingdom is impacting patched Exchange servers, recent reports claim that there are tens of thousands of unpatched servers remaining. On March 14, threat intelligence vendor RiskIQ found 69,548 Microsoft Exchange servers still unpatched. And on Friday, RiskIQ tweeted that the number had fallen to 53,130.

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Next Steps

DHS: Ransomware poses a national security threat

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing