Reading Time: 2 minutes

After four zero-days appeared earlier in January, after which Microsoft released a one-click mitigation tool. It was intended to reduce the impact of cyberattacks. According to Microsoft, nearly 92% of the internet-facing servers have been patched for the ProxyLogon vulnerabilities.

These attacks on the exchange servers were carried out by multiple Chinese-linked state-sponsored hacking groups. The attacks were carried out to create panic of infections. Raising fears of hackers being able to carry out attacks like ransomware and hijacking web shells planted on unpatched Microsoft Exchange servers to deliver crypto miners and other malware.

What is Black Kingdom Ransomware?

Black Kingdom Ransomware is also known as GAmmAWare encrypts data and users receive ransom demands for decryption tools. In the case of this ransomware files affected are appended with.DEMON extension. This means a 1.jpg file is renamed as “1.jpg.DEMON” after it is encrypted by the hackers.

The victims receive a ransom message in a full-screen pop-up window after the encryption is completed. This message resides within the “README.txt” files which are dropped into compromised folders.

Earlier last week @Malware in a tweet said

Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom not to every directory.”

See: How To Hack Google Network For $313,337

Mark Loman, director of engineering at Sophos said

The Black Kingdom ransomware targeting unpatched Exchange servers has all the hallmarks of being created by a motivated script-kiddie. The encryption tools and techniques are imperfect but the ransom of $10,000 in bitcoin is low enough to be successful. Every threat should be taken seriously, even seemingly low-quality ones.”

Experts investigating ProxyLogon fear the exploits being shared or sold on the Dark Web. Their fears are justified looking at the sheer number of attacks carried out even before the public disclosure of ProxyLogon. It is also possible the information might have been shared by a Microsoft partner via the Microsoft Active Protections Program (MAPP), either unintentionally or knowing leaked it to other groups.

Please leave your comments in the section below.