Security News > 2021 > March > Microsoft: Black Kingdom ransomware hacked 1.5K Exchange servers
Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks.
More than 30 Black Kingdom submissions coming directly from impacted mail servers have been added to ransomware identification site ID Ransomware starting on March 18.
While the ransomware gang failed to encrypt any files on Hutchins' honeypots, the ID Ransomware submissions are all from successfully encrypted Exchange servers.
While a connection has not yet been made, another ransomware dubbed Black Kingdom targeted corporate networks with Pulse Secure VPN exploits in June 2020.
BleepingComputer has confirmed that last year's Black Kingdom ransomware was also a Python-based malware.
Black Kingdom is the second confirmed ransomware that targets unpatched Microsoft Exchange servers with ProxyLogon exploits.
News URL
Related news
- Microsoft: Exchange 2016 reaches extended end of support in October (source)
- FBI disrupts the Dispossessor ransomware operation, seizes servers (source)
- FBI Shuts Down Dispossessor Ransomware Group's Servers Across U.S., U.K., and Germany (source)
- Windows Server August updates fix Microsoft 365 Defender issue (source)
- Microsoft: August updates cause Windows Server boot issues, freezes (source)
- Microsoft: Exchange Online mistakenly tags emails as malware (source)
- Linux version of new Cicada ransomware targets VMware ESXi servers (source)
- VMware ESXi Servers Targeted by New Ransomware Variant from Cicada3301 Group (source)
- Microsoft fixes Windows Server performance issues from August updates (source)
- Ransomware gangs now abuse Microsoft Azure tool for data theft (source)