Microsoft Exchange servers are under attack once again

(Image credit: Pixabay)
Audio player loading…

Microsoft Exchange (opens in new tab) servers are once again under attack as a security researcher has discovered a new campaign known as “BlackKingdom” that leverages the ProxyLogon (opens in new tab) vulnerabilities to deploy ransomware (opens in new tab).

As reported by BleepingComputer (opens in new tab), security researcher Marcus Hutchins from MalwareTechBlog detailed his discovery in a recent series of tweets (opens in new tab), saying:

“Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom "Ransomware", but it doesn't appear to encrypt files, just drops a ransom note to every directory. According to my honeypot backlog, the same attacker ran the following script a few days prior, but it failed.”

While the attackers tried to push ransomware to Hutchins' honeypots (opens in new tab), they did not become encrypted which suggests that he witnessed a failed attack.


Although the attackers unsuccessfully tried to encrypt Hutchin's honeypots, submissions to the ransomware identification site ID Ransomware (opens in new tab) show that BlackKingdom was successfully able to encrypt other victim's devices in mid-March.

So far BlackKingdom has infected victims in the US, Canada, Austrai, Switzerland, Russia, France, Israel, the UK, Italy, Germany, Greece, Australia and Croatia.

When successfully deployed, the ransomware encrypts files using random extensions and then leaves a ransom note named decrypt_file.TxT. However, in his research, Hutchins found a different ransom note named ReadMe.txt which used text that is slightly different. Both ransom notes request that victims pay $10,000 in bitcoin (opens in new tab) to unencrypt their servers.

This isn't the first time that a ransomware known as BlackKingdom has been observed in the wild. Back in June of last year, another ransomware by the same name was used to compromise corporate networks by exploiting vulnerabilities in Pulse VPN (opens in new tab). Although it has yet to be confirmed, both versions of the BlackKingdom ransomware were written in Python (opens in new tab).

Another ransomware known as DearCry (opens in new tab) was also used to launch attacks against Microsoft Exchange servers by exploiting the ProxyLogon vulnerabilities earlier this month.

Via BleepingComputer (opens in new tab)

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.