Ransomware operators are piling on already hacked Exchange servers

Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that is trying to profit from a rash of exploits that caught organizations around the world flat-footed.

The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.

Opportunity knocks

The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.

On Tuesday morning, Microsoft Threat Intelligence Analyst Kevin Beaumont reported that a Black Kingdom attack “does indeed encrypt files.

Security firm Arete on Monday also disclosed Black Kingdom attacks.

Black Kingdom was spotted last June by security firm RedTeam. The ransomware was taking hold of servers that failed to patch a critical vulnerability in the Pulse VPN software. Black Kingdom also made an appearance at the beginning of last year.

Brett Callow, a security analyst at Emsisoft, said it wasn’t clear why one of the recent Black Kingdom attacks failed to encrypt data.

“The initial version encrypted files, while a subsequent version simply renamed them,” he wrote in an email. “Whether both versions are being simultaneously operated is not clear. Nor is it clear why they altered their code—perhaps because the renaming (fake encryption) process would not be detected or blocked by security products?”

He added that one version of the ransomware is using an encryption method that in many cases allows the data to be restored without paying a ransom. He asked that the method not be detailed to prevent the operators of the ransomware from fixing the flaw.

Patching isn’t enough

Neither Arete nor Beaumont said if Black Kingdom attacks were hitting servers that had yet to install Microsoft’s emergency patch or if the attackers were simply taking over poorly secured web shells installed earlier by a different group.

Two weeks ago, Microsoft reported that a separate strain of ransomware named DearCry was taking hold of servers that had been infected by Hafnium. Hafnium is the name the company gave to state-sponsored hackers in China that were the first to use ProxyLogon, the name given to a chain of exploits that gains complete control over vulnerable Exchange servers.

Security firm SpearTip, however, said that the ransomware was targeting servers “after initial exploitation of the available Microsoft exchange vulnerabilities.” The group installing the competing DearCry ransomware also piggybacked.

Black Kingdom comes as the number of vulnerable servers in the US dropped to less than 10,000, according to Politico, which cited a National Security Council spokesperson. There were about 120,000 vulnerable systems earlier this month.

As the follow-on ransomware attacks underscore, patching servers isn’t anywhere near a full solution to the ongoing Exchange server crisis. Even when severs receive the security updates, they can still be infected with ransomware if any web shells remain.

Microsoft is urging affected organizations that don’t have experienced security staff to run this one-click mitigation script.