Microsoft systems targeted by ‘Black Kingdom’ ransomware
Python-coded malware contains several amateur mistakes
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Earlier this yearMicrosoft Exchange serverswere targeted by cybercriminals who used a known vulnerability to infect them with theBlack Kingdom ransomware.
Now the cybersecurity firmKasperskyhas released a new report which provides further insight into how this ransomware strain works along with new details on the cybercriminals behind it.
While the Black Kingdom ransomware first appeared back in 2019, it became widely known back in March of this year when it was used in a campaign that exploited theProxyLogonvulnerability, tracked as CVE-2021-27065, inMicrosoftExchange.
However, based on Kaspersky’s analysis of theransomware, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow anyone to decrypt the files affected by it using a hardcoded key.
Black Kingdom ransomware
Although the end of goal of any ransomware strain is to encrypt a system’s files, the author of the Black Kingdom ransomware strain, which is coded inPython, decided to specify certain folders to be excluded from encryption.
The ransomware avoids encrypting the Windows, ProgramData, Program Files, Program Filex (x86), AppData/Roaming, AppData/LocalLow and AppData/Local files on a targeted system in order to avoid breaking it during encryption. However, the way in which the code that implements this functionality is written was a clear sign to Kaspersky that its creators may have been amateurs.
Ransowmare developers often end up making mistakes that can allow files to be decrypted easily or sometimes not at all. The Black Kingdom ransomware for instance tries to upload its encryption key to thecloud storageserviceMegabut if this fails, a hardcoded key is used to encrypt the files instead. If a system’s files have been encrypted and it is unable to make a connection to Mega, it will then be possible to recover these encrypted files using a hardcoded key.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Another mistake made by Black Kingdom’s creators and observed by Kaspersky’s researchers is the fact that all of their ransomware notes contain several mistakes as well as the sameBitcoinaddress. Other ransomware families provide a unique address for each victim which makes it much more difficult to determine who created themalwarethey used in the first place.
The Black Kingdom ransomware is not being used by cybercriminals at the moment to launch attacks but organizations need to be ready for when it does reappear. For this reason, vulnerable organizations should take a closer look at Kapsersky’s report and if they haven’t yet, patch their Microsoft Exchange servers using the company’sone-click toolto do so.
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
3 reasons why PIA fell in our best VPN rankings
Nokia confirms data breach leaked third-party code, but its data is safe
A critical Palo Alto Networks bug is being hit by cyberattacks, so patch now
