Black Kingdom ransomware attacked 1,500 Exchange Server servers for ransom

Previously, Microsoft Exchange Server 2013-2019 had serious security vulnerabilities, and attackers could directly invade the server to download all emails.

Investigations show that tens of thousands of Exchange Server have been attacked worldwide, including but not limited to governments, enterprises, universities, hospitals, and other institutions.

In view of the extremely high risk of vulnerabilities, Microsoft has continuously issued multiple security bulletins to remind organizations to fix them, but there are still many government and enterprise organizations that did not immediately install security updates.

This led to the initial 10 hacker groups that exploited vulnerabilities to attack, and ransomware also participated in attacking the private information of organizations for ransom.

Image: Microsoft

The latest report released by the Microsoft 365 Defender Threat Intelligence Team stated that a hacker group named the Black Kingdom launched an attack from March 18th to 20th.

Microsoft claims that there are about 1,500 servers attacked by this ransomware, but not all infected servers have entered the stage of ransomware or encrypted files.

Some servers have been infected but ransomware has not yet been deployed. Therefore, companies can avoid ransomware if they use detection tools released by Microsoft to check and clean up.

However, Microsoft also emphasized that the system was infected but did not deploy ransomware. It is also possible that hacker groups have reserved access rights, and the attack will be launched after collecting key confidential information.

The Black Kingdom ransomware has also offered to pay a ransom to some victims. The hacker group asked the infected company to pay $10,000 for the key.

If the company is not willing to pay the ransom in exchange for the key to decrypt the file, the hacker group may also publish all the company’s e-mail records on the Internet.

Microsoft statistics found that its victims are located in many countries or regions, including the United States, Russia, Germany, Austria, Switzerland, the United Kingdom, Israel, Greece, etc.

Although the files were not encrypted on some of the attacked servers, there were ransom notes. It is not clear whether the hacker group failed to deploy the ransomware.

Microsoft emphasizes that companies must promptly investigate whether servers are infected and back up data, and also promptly clean up viruses to prevent attackers from infiltrating the intranet.

For Microsoft Exchange Server-related fixes and security bulletins, please click here to view, and please fix the vulnerability as soon as possible.