Microsoft Exchange servers compromised in a first round of attack find themselves infected a second time by a ransomware gang trying to capitalize on a wave of exploits that have flattened organizations around the world.
The ransomware – known as Black Kingdom, DEMON and DemonWare – demands $10,000 to restore encrypted data, security researchers said. The malware is installed on Exchange servers previously infected by attackers who exploited a critical vulnerability in Microsoft’s email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft released an emergency patch, as many as 100,000 servers that failed to install it in time were infected.
An opportunity presents itself
The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to fully control the compromised servers. Black Kingdom was spotted last week by security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported Sunday that the malware encrypted files not real.
Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t seem to encrypt files, it just drops ransom money, not in every folder. pic.twitter.com/POYlPYGjsz
— Marcus Hutchins (@MalwareTechBlog) March 21, 2021
On Tuesday morning, Microsoft Threat Intelligence analyst Kevin Beaumont reported that a Black Kingdom attack “indeed” encrypt files.
BlackKingdom ransomware on my personal servers. It does indeed encrypt files. They exclude c:\windows, but my storage drivers were in a different folder and it encrypted it…meaning the server won’t boot anymore. If you read BlackKingdom, exclude *.sys files pic.twitter.com/nUVUJTbcGO
— Kevin Beaumont (@GossiTheDog) March 23, 2021
Security firm Arete also announced Black Kingdom attacks on Monday.
Black Kingdom was spotted by security firm RedTeam last June. The ransomware seized servers that failed to patch a critical vulnerability in the Pulse VPN software. Black Kingdom also made its appearance at the beginning of last year.
Brett Callow, a security analyst at Emsisoft, said it was not clear why one of the recent Black Kingdom attacks failed to encrypt the data.
“The first version encrypted files, while a subsequent version simply renamed them,” he wrote in an email. “It is not clear whether both versions are operated simultaneously. It’s also not clear why they changed their code – perhaps because the renaming (fake encryption) wouldn’t be detected or blocked by security products?”
He added that one version of the ransomware uses an encryption method that in many cases can restore data without paying a ransom. He asked that the method not be detailed in order to prevent the ransomware operators from fixing the error.
Patching is not enough
Neither Arete nor Beaumont said whether Black Kingdom attacks hit servers that had yet to install Microsoft’s emergency patch or whether the attackers were simply taking over poorly secured web shells previously installed by another group.
Two weeks ago, Microsoft reported that a separate form of ransomware called DearCry seized servers infected by Hafnium. Hafnium is the name the company gave to state-sponsored hackers in China who were the first to use ProxyLogon, the name given to a series of exploits that take complete control of vulnerable Exchange servers.
However, security firm SpearTip said the ransomware targeted servers “after the first exploit of the available Microsoft Exchange vulnerabilities”. The group that installed the competing DearCry ransomware also participated.
Black Kingdom comes as the number of vulnerable servers in the US drops to less than 10,000, according to Politico, citing a National Security Council spokesman. Earlier this month, there were about 120,000 vulnerable systems.
As the subsequent ransomware attacks underscore, server patching is far from a complete solution to the ongoing Exchange server crisis. Even when servers receive the security updates, they can still be infected with ransomware if web shells are left behind.
Microsoft urges affected organizations that do not have experienced security personnel to run this one-click mitigation script.