Microsoft Exchange servers are under attack once again

Cybercriminals are exploiting ProxyLogon vulnerabilities to deploy ransomware

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Microsoft Exchangeservers are once again under attack as a security researcher has discovered a new campaign known as “BlackKingdom” that leverages theProxyLogonvulnerabilities to deployransomware.

As reported byBleepingComputer, security researcher Marcus Hutchins from MalwareTechBlog detailed his discovery in a recentseries of tweets, saying:

“Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom note to every directory. According to my honeypot backlog, the same attacker ran the following script a few days prior, but it failed.”

While the attackers tried to push ransomware to Hutchins’honeypots, they did not become encrypted which suggests that he witnessed a failed attack.

BlackKingdom

Although the attackers unsuccessfully tried to encrypt Hutchin’s honeypots, submissions to the ransomware identification siteID Ransomwareshow that BlackKingdom was successfully able to encrypt other victim’s devices in mid-March.

So far BlackKingdom has infected victims in the US, Canada, Austrai, Switzerland, Russia, France, Israel, the UK, Italy, Germany, Greece, Australia and Croatia.

When successfully deployed, the ransomware encrypts files using random extensions and then leaves a ransom note named decrypt_file.TxT. However, in his research, Hutchins found a different ransom note named ReadMe.txt which used text that is slightly different. Both ransom notes request that victims pay $10,000 inbitcointo unencrypt their servers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This isn’t the first time that a ransomware known as BlackKingdom has been observed in the wild. Back in June of last year, another ransomware by the same name was used to compromise corporate networks by exploiting vulnerabilities inPulse VPN. Although it has yet to be confirmed, both versions of the BlackKingdom ransomware were written inPython.

Another ransomware known asDearCrywas also used to launch attacks againstMicrosoftExchange servers by exploiting the ProxyLogon vulnerabilities earlier this month.

ViaBleepingComputer

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Your doctor may have an AI assistant taking notes during your next Zoom call