Ransomware operators are accumulating hacked Exchange servers

Microsoft Exchange servers compromised in a first round of attacks are being infected for the second time by a ransomware gang that is trying to profit from a series of exploits that have taken organizations around the world by surprise.

The ransomware – known as Black Kingdom, DEMON and DemonWare – is demanding $ 10,000 to recover encrypted data, security researchers said. The malware is being installed on Exchange servers that were previously infected by attackers who were exploiting a critical vulnerability in Microsoft’s email program. The attacks began while the vulnerability was still zero days. Even after Microsoft released an emergency patch, about 100,000 servers that did not install it in time were infected.

Opportunity knocks

The hackers behind these attacks installed a web shell that allowed anyone who knew the URL to completely control compromised servers. Black Kingdom was detected last week by security company SpearTip. Marcus Hutchins, security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t really encrypt files.

On Tuesday morning, Microsoft threat intelligence analyst Kevin Beaumont reported that a Black Kingdom attack “really encrypt files.

Security firm Arete also released the Black Kingdom attacks on Monday.

Black Kingdom was located last June by security company RedTeam. The ransomware was taking over servers that failed to fix a critical vulnerability in the Pulse VPN software. Black Kingdom also appeared at the beginning of last year.

Brett Callow, a security analyst at Emsisoft, said it was unclear why one of Black Kingdom’s recent attacks failed to encrypt data.

“The initial version encrypted the files, while the subsequent version simply renamed them,” he wrote in an email. “Whether the two versions are being operated simultaneously is unclear. Nor is it clear why they changed their code – perhaps because the renaming process (fake encryption) would not be detected or blocked by security products? “

He added that a version of the ransomware uses an encryption method that, in many cases, allows data to be restored without paying a ransom. He asked that the method not be detailed to prevent ransomware operators from fixing the flaw.

Patching is not enough

Neither Arete nor Beaumont said whether the Black Kingdom attacks were hitting servers that had not yet installed Microsoft’s emergency patch or whether attackers were simply taking over poorly protected web shells previously installed by a different group.

Two weeks ago, Microsoft reported that a separate ransomware strain called DearCry was taking over servers that had been infected with Hafnium. Hafnium is the name the company gave to state-sponsored hackers in China who were the first to use ProxyLogon, a name given to a chain of exploits that gain full control over vulnerable Exchange servers.

Security firm SpearTip, however, said the ransomware targeted servers “after the initial exploitation of available Microsoft Exchange vulnerabilities”. The group that installed the competing DearCry ransomware also hitchhiked.

Black Kingdom comes at a time when the number of vulnerable servers in the United States drops to less than 10,000, according to Politico, who quoted a spokesman for the National Security Council. There were about 120,000 vulnerable systems earlier this month.

As subsequent ransomware attacks point out, patching servers is nowhere near a complete solution to the ongoing Exchange server crisis. Even when servers receive security updates, they can still be infected with ransomware if any web shells remain.

Microsoft is asking affected organizations that do not have an experienced security team to run this mitigation script with one click.