Microsoft systems targeted by 'Black Kingdom' ransomware

Lock on Laptop Screen
(Image credit: Future)

Earlier this year Microsoft Exchange servers were targeted by cybercriminals who used a known vulnerability to infect them with the Black Kingdom ransomware.

Now the cybersecurity firm Kaspersky has released a new report which provides further insight into how this ransomware strain works along with new details on the cybercriminals behind it.

While the Black Kingdom ransomware first appeared back in 2019, it became widely known back in March of this year when it was used in a campaign that exploited the ProxyLogon vulnerability, tracked as CVE-2021-27065, in Microsoft Exchange. 

However, based on Kaspersky's analysis of the ransomware, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow anyone to decrypt the files affected by it using a hardcoded key.

Black Kingdom ransomware

Although the end of goal of any ransomware strain is to encrypt a system's files, the author of the Black Kingdom ransomware strain, which is coded in Python, decided to specify certain folders to be excluded from encryption.

The ransomware avoids encrypting the Windows, ProgramData, Program Files, Program Filex (x86), AppData/Roaming, AppData/LocalLow and AppData/Local files on a targeted system in order to avoid breaking it during encryption. However, the way in which the code that implements this functionality is written was a clear sign to Kaspersky that its creators may have been amateurs.

Ransowmare developers often end up making mistakes that can allow files to be decrypted easily or sometimes not at all. The Black Kingdom ransomware for instance tries to upload its encryption key to the cloud storage service Mega but if this fails, a hardcoded key is used to encrypt the files instead. If a system's files have been encrypted and it is unable to make a connection to Mega, it will then be possible to recover these encrypted files using a hardcoded key.

Another mistake made by Black Kingdom's creators and observed by Kaspersky's researchers is the fact that all of their ransomware notes contain several mistakes as well as the same Bitcoin address. Other ransomware families provide a unique address for each victim which makes it much more difficult to determine who created the malware they used in the first place.

The Black Kingdom ransomware is not being used by cybercriminals at the moment to launch attacks but organizations need to be ready for when it does reappear. For this reason, vulnerable organizations should take a closer look at Kapsersky's report and if they haven't yet, patch their Microsoft Exchange servers using the company's one-click tool to do so. 

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.