Microsoft systems targeted by ‘Black Kingdom’ ransomware Lock on Laptop Screen
Earlier this year Microsoft Exchange servers were targeted by cybercriminals who used a known vulnerability to infect them with the Black Kingdom ransomware.
Now the cybersecurity firm Kaspersky has released a new report which provides further insight into how this ransomware strain works along with new details on the cybercriminals behind it.
While the Black Kingdom ransomware first appeared back in 2019, it became widely known back in March of this year when it was used in a campaign that exploited the ProxyLogon vulnerability, tracked as CVE-2021-27065, in Microsoft Exchange.
However, based on Kaspersky’s analysis of the ransomware, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow anyone to decrypt the files affected by it using a hardcoded key.
Black Kingdom ransomware
Although the end of goal of any ransomware strain is to encrypt a system’s files, the author of the Black Kingdom ransomware strain, which is coded in Python, decided to specify certain folders to be excluded from encryption.
The ransomware avoids encrypting the Windows, ProgramData, Program Files, Program Filex (x86), AppData/Roaming, AppData/LocalLow and AppData/Local files on a targeted system in order to avoid breaking it during encryption. However, the way in which the code that implements this functionality is written was a clear sign to Kaspersky that its creators may have been amateurs.
Ransowmare developers often end up making mistakes that can allow files to be decrypted easily or sometimes not at all. The Black Kingdom ransomware for instance tries to upload its encryption key to the cloud storage service Mega but if this fails, a hardcoded key is used to encrypt the files instead. If a system’s files have been encrypted and it is unable to make a connection to Mega, it will then be possible to recover these encrypted files using a hardcoded key.
Another mistake made by Black Kingdom’s creators and observed by Kaspersky’s researchers is the fact that all of their ransomware notes contain several mistakes as well as the same Bitcoin address. Other ransomware families provide a unique address for each victim which makes it much more difficult to determine who created the malware they used in the first place.
The Black Kingdom ransomware is not being used by cybercriminals at the moment to launch attacks but organizations need to be ready for when it does reappear. For this reason, vulnerable organizations should take a closer look at Kapsersky’s report and if they haven’t yet, patch their Microsoft Exchange servers using the company’s one-click tool to do so.
Earlier this year Microsoft Exchange servers were targeted by cybercriminals who used a known vulnerability to infect them with the Black Kingdom ransomware. Now the cybersecurity firm Kaspersky has released a new report which provides further insight into how this ransomware strain works along with new details on the cybercriminals…
Recent Posts
- Quordle today – hints and answers for Friday, May 3 (game #830)
- NYT Strands today — hints, answers and spangram for Friday, May 3 (game #61)
- Microsoft says it did a lot for responsible AI in inaugural transparency report
- Samsung’s best customization app for Galaxy phones is now on Google Play
- Want to Buy a Decommissioned Supercomputer? Here’s Your Chance
Archives
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- November 2022
- October 2022
- September 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- April 2021
- March 2021
- February 2021
- January 2021
- December 2020
- November 2020
- October 2020
- September 2020
- August 2020
- July 2020
- June 2020
- May 2020
- April 2020
- March 2020
- February 2020
- January 2020
- December 2019
- November 2019
- December 2011