Microsoft Exchange servers hit by Black Kingdom ransomware

At the beginning of March, a ProxyLogon vulnerability was discovered in Microsoft Exchange mail servers, allowing the execution of arbitrary code, and now hackers are using it to spread the Black Kingdom ransomware virus.

Computer Security Specialist Marcus Hutchins discoveredthat cybercriminals who have gained access to servers through the ProxyLogon vulnerability use a Powershell script to download the ransomware executable files and distribute them to other computers on the network. At the same time, during the tests, Hutchins did not encrypt – it just created ransom files.

Perhaps Hutchins got hold of the first version of the virus, since, according to the ID Ransomware website, the first infections with the Black Kingdom virus began on March 18 and currently exceeds 30. Companies from various countries, including Russia, the USA, and France, were victims of the virus. , Israel and Germany.

After infecting the computer, the virus encrypts files and renames them in a random order. Apparently, the attackers are using the same address to obtain the ransom. However, the ransom amount is the same – $ 10,000 in bitcoins. At the moment, hackers have received only one payment.

In the summer of 2020, there have already been cases of infection with a virus called Black Kingdom, although it is not yet known whether this virus is identical to the new one. However, both viruses are written in the Python programming language.

Previously, hackers used the ProxyLogon vulnerability to spread the DearCry virus, but there were very few cases of infection. It also became known that the REvil hacker group requested $ 50 million in bitcoins from the computer equipment manufacturer Acer. The hackers are likely to have infiltrated the Acer network by exploiting the ProxyLogon vulnerability.

Telegram channel!