A stylized ransom note asks for bitcoin in exchange for stolen data.

(credit: Aurich Lawson / Ars Technica)

Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that is trying to profit from a rash of exploits that caught organizations around the world flat-footed.

The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.

Opportunity knocks

The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.

Read 12 remaining paragraphs | Comments

index?i=LYVOmxMVBn8:QPGfrJsTxWw:V_sGLiPB index?i=LYVOmxMVBn8:QPGfrJsTxWw:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA

Source: https://arstechnica.com/gadgets/2021/03/ransomware-operators-are-piling-on-already-hacked-exchange-servers/
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Dan Goodin