Black Kingdom and Microsoft Exchange Attacks

What’s going on?

• The ransomware has been attempting to execute PowerShell scripts to deploy the ransomware into a network. 
• The campaign has managed to encrypt quite a few target devices, with the first one reported on March 18. 
• Its victims are spread across the U.S., Germany, Croatia, Russia, France, the U.K, Greece, Austria, Canada, Switzerland, Israel, and Australia. 

More attacks on Exchange servers

• The flaws were also abused by Lemon_Duck, a cryptomining botnet.  
• Just a day after Microsoft released the patches, APT27, LuckyMouse, Winnti Group, and Calypso threat actors started scanning for vulnerable servers and compromising those. 
• REvil has also abused ProxyLogon, which was clear by the recent attack on Acer. The ransomware gang had demanded a ransom of $50 million. 

More Black Kingdom?

• Last year June, a ransomware variant that went by the name of Black Kingdom had attacked several organizations by exploiting Pulse VPN vulnerabilities. 
• Note that both the ransomware are written in Python, compiled in a Windows executable, and found to employ similar tactics.
• Nevertheless, their differences lie in ransom notes and Bitcoin address wallets. 
• The differences are trivial and experts have reason to believe that both the variants are disseminated by the same gang. 
• Although out-and-out proof is still lacking, the campaigns are suspected to be connected.

The bottom line