We are already aware of the raging blizzard that has been caused by the constant attacks on Microsoft Exchange Servers. Now, another threat actor has jumped on to the Exchange express to benefit from it.

What’s going on?

The Black Kingdom ransomware has been spotted exploiting the ProxyLogon flaws. 
  • The ransomware has been attempting to execute PowerShell scripts to deploy the ransomware into a network. 
  • The campaign has managed to encrypt quite a few target devices, with the first one reported on March 18. 
  • Its victims are spread across the U.S., Germany, Croatia, Russia, France, the U.K, Greece, Austria, Canada, Switzerland, Israel, and Australia. 

More attacks on Exchange servers

The first one to start exploiting the ProxyLogon vulnerabilities was a strain of the DearCry ransomware.
  • The flaws were also abused by Lemon_Duck, a cryptomining botnet.  
  • Just a day after Microsoft released the patches, APT27, LuckyMouse, Winnti Group, and Calypso threat actors started scanning for vulnerable servers and compromising those. 
  • REvil has also abused ProxyLogon, which was clear by the recent attack on Acer. The ransomware gang had demanded a ransom of $50 million. 

More Black Kingdom?

  • Last year June, a ransomware variant that went by the name of Black Kingdom had attacked several organizations by exploiting Pulse VPN vulnerabilities
  • Note that both the ransomware are written in Python, compiled in a Windows executable, and found to employ similar tactics.
  • Nevertheless, their differences lie in ransom notes and Bitcoin address wallets. 
  • The differences are trivial and experts have reason to believe that both the variants are disseminated by the same gang. 
  • Although out-and-out proof is still lacking, the campaigns are suspected to be connected.

The bottom line

Although Black Kingdom is not at the level of its other evil counterparts, it has proved itself to be a potent threat to organizations and the cyber world, in general. It would be safe to assume that more ransomware attacks will jump into the ProxyLogon bandwagon and thus, patching your networks and investigating them thoroughly seems to be your best bet at surviving.
Cyware Publisher