Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks.

"They started later than some other attackers, with many compromises occurring between March 18 and March 20, a window when fewer unpatched systems were available," the Microsoft 365 Defender Threat Intelligence Team said.

"They observed these web shells on around 1,500 systems, not all of which moved to the ransomware stage.





"Many of the compromised systems have not yet received a secondary action, such as human-operated ransomware attacks or data exfiltration, showing attackers could establish and keeping their access for potential later actions."

Ransom demands of up to $10,000

Malware analyst Marcus Hutchins was the first to spot Black Kingdom (also tracked as Pydomer by Microsoft) targeting Exchange servers over the weekend after one of his ProxyLogon honeypots picked up the malicious activity.



Over 30 Black Kingdom submissions coming directly from impacted mail servers have been added to ransomware identification site ID Ransomware starting on March 18.

While the ransomware gang encrypted no files on Hutchins' honeypots, the ID Ransomware submissions are all from successfully encrypted Exchange servers.

Black Kingdom ransomware victims are in the US, Russia, Canada, Germany, Austria, Switzerland, France, Israel, United Kingdom, Italy, Greece, Australia, and Croatia.

When TechnicalPMA analyzed the Black Kingdom ransomware, it created a ransom note demanding $10,000 in bitcoins for a decryption key.

The ransom note also warned victims that data was stolen before their devices were encrypted and would be publicly released if I do not pay a ransom.

In some attacks, Microsoft noted that it created a ransom note even though the device was not encrypted. It is unknown if this was a failed encryption attempt, or they were simply ex filtrating data and ransoming it off.



"The note should be taken seriously if encountered, as the attackers had full access to systems and could likely exfiltrate data," Microsoft added.

While I have not yet made a connection, another ransomware dubbed Black Kingdom targeted corporate networks with Pulse Secure VPN exploits in June 2020.

Hutchins said that the current ransomware executable is a Python script compiled as a Windows executable. TechnicalPMA has confirmed that last year's Black Kingdom ransomware was also a Python-based malware.

Indiscriminate attacks target unpatched Exchange servers

The Black Kingdom is the second confirmed ransomware that targets unpatched Microsoft Exchange servers with ProxyLogon exploits.

The first one was DearCry ransomware, an additional strain deployed in attacks that started about one week after Microsoft released ProxyLogon security updates.

Threat actors behind ProxyLogon attacks have also been observed while stealing credentials via LSASS dumps and deploying crypto-mining malware.

Microsoft revealed on Monday that roughly 92% of all on-premises Exchange servers reachable over the Internet and affected by the ProxyLogon vulnerabilities are now patched and safe from ongoing attacks.

From 400,000 Internet-connected Exchange servers affected by the ProxyLogon flaws when Microsoft issued the initial security patches on March 2, there are now under 30,000 still exposed to attacks.