A security researcher has warned about a ransomware operation which is targeting Microsoft Exchange servers that are yet to apply patches removing critical ProxyLogon vulnerabilities.
In a message on Twitter Marcus Hutchins, aka MalwareTechBlog, said that a threat actor which claims to be “Black Kingdom” ransoware is attempting to compromise vulnerable Microsoft Exchange servers via ProxyLogon vulnerabilities in a bid to deploy ransomware.
“Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom "Ransomware", but it doesn't appear to encrypt files, just drops a ransom not to every directory,” Hutchins tweeted.
Based on the logs from Hutchins’ honeypots, the malicious actor used the ProxyLogon vulnerability to execute a PowerShell script that downloads the ransomware executable from 'yuuuuu44[.]com' and then attempts to push it out to other computers on the network.
“The executable is py2exe, and if run successfully looks like this. Seems to be total skidware and it's unclear how many systems it successfully ran on, if any,” the researcher said.
However, according to the ID Ransomware service creator Michael Gillespie, based on the number of submissions to his system, the Black Kingdom successfully encrypted victims in the USA, Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia, and Croatia.
The ransomware encrypts files using random extensions and creates a ransom note named decrypt_file.TxT or ReadMe.txt . The ransom note demands $10,000 in Bitcoin to recover encrypted files and provides a Bitcoin address to make a payment. To date, this Bitcoin address received only one payment on March 18, which has since been transferred to another address.