Black Kingdom ransomware first appeared back in 2019, it became widely known back in March of this year when it was used in a campaign that exploited the ProxyLogon vulnerability, tracked as CVE-2021-27065, in Microsoft Exchange.
Black Kingdom ransomware strain, which is coded in Python, decided to specify certain folders to be excluded from encryption.The ransomware avoids encrypting the Windows, ProgramData, Program Files, Program File (x86), AppData/Roaming, AppData/Locallow and AppData/Local files on a targeted system in order to avoid breaking it during encryption.
This implementation is with several mistakes and a critical encryption flaw that could allow anyone to decrypt the files affected by it using a hardcoded key.
The Black Kingdom ransomware for instance tries to upload its encryption key to the cloud storage service Mega but if this fails, a hardcoded key is used to encrypt the files instead. If a system’s files have been encrypted and it is unable to make a connection to Mega, it will then be possible to recover these encrypted files using a hardcoded key.
Another mistake is Bitcoin address same in all notes. Other ransomware families provide a unique address for each victim which makes it much more difficult to determine who created the malware they used in the first place.
The Black Kingdom ransomware is not being used by cybercriminals at the moment to launch attacks but organizations need to be ready for when it does reappear. For this reason, vulnerable organizations should take a call if they haven’t yet, patch their Microsoft Exchange servers.