(credit: Aurich Lawson / Ars Technica)
Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that is trying to profit from a rash of exploits that caught organizations around the world flat-footed.
The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.
The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.
Proactive Computing found this story and shared it with you.
The Article Was Written/Published By: Dan Goodin