Ransomware operators pile on already hacked Exchange servers

Microsoft Exchange servers compromised in the first round of attacks are being infected for the second time by a ransom gang trying to take advantage of an eruption of organizations that are plaguing organizations around the world.

The ransomware – known as Black Kingdom, DEMON and DemonWare – is demanding $ 10,000 for the recovery of encrypted data, security investigators said. The malware is installed on Exchange servers that were previously infected by attackers using a critical vulnerability in the Microsoft e-mail program. Attacks started while the vulnerability was still a zero day. Even after Microsoft released an emergency solution, as many as 100,000 servers that did not install in time were infected.

Opportunity knocks

The hackers behind the attacks installed a web shell that allowed anyone who knew the URL to completely control the fraudsters who compromised. Black Kingdom was spotted by security firm SpearTip last week. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported Sunday that the malware did not actually encrypt files.

On Tuesday morning, Microsoft analyst Kevin Beaumont reported that a Black Kingdom attack “is indeed encrypt files.

Security firm Arete also announced the Black Kingdom attacks on Monday.

Black Kingdom was spotted last June by security firm RedTeam. The ransomware captured servers that could not detect a critical vulnerability in the Pulse VPN software. Black Kingdom also appeared at the beginning of last year.

Brett Callow, a security analyst at Emsisoft, said it was not clear why one of the recent Black Kingdom attacks had failed to encrypt data.

“The original version encrypted files, while a subsequent version simply renamed it,” he wrote in an email. ‘Whether both versions operate simultaneously is not clear. It is also not clear why they changed their code – perhaps because the renaming process (false coding) would not be detected or blocked by security products? ‘

He added that one version of the ransom uses a coding method that in many cases allows the data to be recovered without paying a ransom. He asked that the method not be set out, to prevent the users of the ransom from correcting the error.

Cloth is not enough

Neither Arete nor Beaumont said if the Black Kingdom attacks hit servers that have not yet had to install Microsoft’s stickers, or that the attackers are just taking over poorly secured webcaps that were previously installed by another group.

Two weeks ago, Microsoft reported that it was seizing a separate series of ransomware called DearCry servers infected by Hafnium. Hafnium is the name given by the company to state-sponsored hackers in China who first used ProxyLogon, the name given to a chain of abuses that gain complete control over vulnerable Exchange servers.

However, security firm SpearTip said the ransom servers were targeted “after the initial exploitation of the available Microsoft vulnerabilities.” The group that installs the competitive DearCry ransom also has a piggyback package.

Black Kingdom is coming, according to Politico, which quoted a spokesman for the National Security Council as the number of vulnerable servers in the US dropped to less than 10,000. There were about 120,000 vulnerable systems earlier this month.

As the aftermath of ransomware attacks highlights, loading servers is not nearly a complete solution to the ongoing Exchange server crisis. Even when sequesters receive the security updates, they can still be infected with ransomware if there are any web shells.

Microsoft calls on affected organizations that do not have experienced security personnel to run this one-click mitigation script.