Ransomware operators are piling on already hacked Exchange servers

A stylized ransom note asks for bitcoin in exchange for stolen data.

(credit: Aurich Lawson)

Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that’s trying to profit from a rash of exploits that caught organizations around the world flat-footed.

The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zeroday. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.

Opportunity knocks

The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.

Read 12 remaining paragraphs | Comments

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top