Microsoft found internet shells deployed by Black Kingdom operators on almost 1,500 Exchange servers vulnerable to ProxyLogon attacks.
Microsoft found internet shells deployed by Black Kingdom operators on almost 1,500 Exchange servers vulnerable to ProxyLogon attacks.
Malware analyst Marcus Hutchins first spotted the Black Kingdom targeting Exchange servers over the weekend after one of his ProxyLogon honeypots picked up the malicious activity.
“They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available,” reported the Microsoft 365 Defender Threat Intelligence Team.
“These web shells were observed on around 1,500 systems, not all of which moved to the ransomware stage.”
“More than 30 Black Kingdom submissions coming instantly from impacted mail servers have been added to ransomware identification web site ID Ransomware beginning on March 18,” reported BleepingComputer.
The ransomware gang did not encrypt any recorded data on Hutchins honeypots. The ID Ransomware submissions are all from efficiently encrypted Exchange servers.
Black Kingdom ransomware victims are located within the US, France, Russia, Switzerland, Canada, Germany, Austria, Israel, United Kingdom, Italy, Australia, Greece and Croatia.
BleepingComputer mentioned that Black Kingdom ransomware created a ransom word demanding $10,000 in bitcoins for a decryption key.
The ransom gang warned victims that knowledge was stolen earlier than their units had been encrypted and leaked if a ransom were not paid.
“The note should be taken seriously if encountered, as the attackers had full access to systems and were likely able to exfiltrate data,” Microsoft added.
For the latest cyber threats and the latest hacking news please follow us on Facebook, Linkedin, and Twitter.
You may be interested in reading: How to Survive the COVID Time Cyber Security Threats?