Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that’s trying to profit from a rash of exploits that caught organizations around the world flat-footed.
The ransomware—known as Black Kingdom, DEMON, and DemonWare—is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zeroday. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn’t install it in time were infected.
The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn’t actually encrypt files.