Black Kingdom ransomware foiled through Mega password change

Black Kingdom ransomware, which was detected in recent ProxyLogon attacks against Microsoft Exchange servers was, at least temporarily, foiled through a simple password change.

Brett Callow, Emsisoft threat analyst, told SearchSecurity that Black Kingdom was designed to generate and upload encryption keys to Mega, a cloud storage service. However, he added, if the ransomware is unable to reach Mega, it defaults to a static, local key. At some point during recent attacks, Black Kingdom seemingly failed to encrypt targeted systems, and in some cases defaulted to the static key.

"Somebody has changed the password to the Mega account, which means the ransomware cannot reach it and reverts to using the hardcoded key, which means we may be able to help people recover their data because we have the hardcoded key," Callow said.

Though it's unclear when exactly the password was changed, Callow told SearchSecurity about the change on Monday morning (SearchSecurity agreed to not publish the information immediately in order to not alert Black Kingdom threat actors that the ransomware had been disrupted).

Mark Loman, Sophos director of engineering for next-gen technologies, wrote a blog post Tuesday on the ransomware that mentioned its inner workings with Mega. Loman told SearchSecurity that because there's a static key encryptor, it can also be decrypted with that static key. He also confirmed that the ransomware is unable to connect to Mega.

"At the moment, the ransomware cannot connect to Mega, because I tried the username and password. So that means that if there are victims hit by Black Kingdom ransomware at the moment, they're either attacked by a different, new version that has a different username or credentials or you can decrypt with a static key, but you still need a decryptor," he said.

Callow explained in an email Thursday that this is still the case, and that the current version of Black Kingdom is scareware; early reports of Black Kingdom from threat researchers characterized the ransomware as scareware that didn't actually encrypt systems, though Loman noted in his blog post that at least one victim has apparently paid the ransom demand.

Callow said this could mean the threat actors have given up on making Black Kingdom a straightforward ransomware campaign. "[The attackers] could've encountered technical or other problems so they decided to convert it to scareware in the hope of still being able to make some bucks."

Loman said that this is the first time that he's seen Mega used to store encryption keys, and normally ransomware uses a public/private RSA scheme. He added that file storage services like Mega and Dropbox are typically used in the data exfiltration process by larger ransomware groups as the services aren't usually blocked by firewalls.

Mega was started by Megaupload founder Kim Dotcom in 2013 after Megaupload was seized by the U.S. Department of Justice the previous year over piracy and copyright infringement allegations; Dotcom severed ties with Mega in 2015.

Loman stated that the Black Kingdom key storage doesn't represent an ethical issue with Mega, as there would be no way for the site to feasibly make an immediate detection.

In an email, Mega executive chairman Stephen Hall told SearchSecurity, "We don't record what specific ransomware may have resulted in a reported upload to Mega. We just close the uploader's account immediately to prevent further dissemination of the hacked data."

Black Kingdom was the most recent threat to vulnerable Microsoft Exchange servers, as the fallout from four zero-day vulnerabilities disclosed earlier this month continues to expand. On Tuesday, threat intelligence vendor Kryptos Logic reported 100,000 active web shells during its ProxyLogon scans.

Alexander Culafi is a writer, journalist and podcaster based in Boston.