Black Kingdom Ransomware Is Exploiting Microsoft Exchange Vulnerabilities
The malware also known as DEMON or DemonWare is the most recent malware caught that is leveraging these vulnerabilities.
Black Kingdom, a malware also known as DEMON or DemonWare is the most recent malware caught within networks that is leveraging the Microsoft Exchange vulnerabilities as an initial entry point in order to push ransomware.
Known not only for their attacks, Black Kingdom hackers enjoy using a specific signature, typically black_kingdom, DEMON, or .death.
The Microsoft Exchange vulnerabilities are still being heavily exploited, therefore increasing the ransomware cases related to these vulnerabilities.
Black Kingdom ransomware threat actors have previously relied on exploiting Pulse Secure VPN vulnerabilities, but now they seem to be analyzing all available information in order to improve their access strategy.
The uniqueness of Black Kingdom ransomware is found in the way they package and execute their ransomware, therefore instead of using typical memory injection techniques, they are using python scripting in order to package an executable like py2exe for Python 3.
Py2exe can be used to build console executables and windows executables, and after the initial build, the ransomware group will push python to a machine followed by pushing the ransomware executable so it can operate effectively.
It looks like Black Kingdom is trying to run ransomware after the initial exploit of the available Microsoft exchange vulnerabilities.
Heimdal™ Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Having the patches available, it is important to not only patch your system but also deploy monitoring tools in order to be able to stop threats like these from running into your environment.