Second ransomware group hitting vulnerable Exchange servers with ProxyLogon flaw

Ransomware background
Source: undefined | Getty Images

Another ransomware group appears to be taking advantage of the ProxyLogon vulnerability in on-prem Microsoft Exchange servers, giving even more incentive to administrators to patch their installations as soon as possible.

Bleeping Computer is reporting that researchers have detected a strain dubbed BlackKingdom in vulnerable Exchange servers.

The story cites Michael Gillespie, the creator of ID Ransomware, saying he has seen over 30 unique submissions to his system, with many being submitted directly from mail servers.

Victim organizations are reportedly are located in the USA, Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia, and Croatia.

Brett Callow, a British Columbia-based threat researcher with Emsisoft, said that for the time being his firm may be able to help victims of this particular ransomware strain recover encrypted data without charge.

The ransom notes seen by BleepingComputer all demand US$10,000 in bitcoin.

This is the second ransomware group taking advantage of the Exchange openings. Eleven days ago Microsoft reported a group was finding and installing a variant called DearCry on unprotected servers.

Meanwhile, Politico reported Monday that the White House National Security Council says a free Microsoft tool for scanning and fixing the ProxyLogon vulnerabilities has been downloaded 25,000 times since its release. As a result the number of systems open to attack in the U.S. has dropped 45 per cent. 

However, worldwide it is believed there are still thousands of Exchange servers that haven’t been patched.

UPDATE: On March 22nd Microsoft said 92 per cent of internet-connected on-premise Exchange servers had been patched or mitigated. That still left about 30,000 around the world unprotected.

Microsoft publicly reported the vulnerabilities on March 2nd, saying a China-based group it dubs Hafnium had been exploiting the holes bugs to access email and install malware to enable long-term access to victim environments. 

Security researchers at Dubex initially discovered the issues late last year while looking for vulnerabilities in Exchange. Researchers at Volexity then found other parts of the attack chain. 

It isn’t clear how far back Hafnium began exploiting what is called the ProxyLogon holes, but there is evidence that by late February — just before Microsoft’s public announcement — other groups had either been told or had discovered them and were also attempting exploitation.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada
Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Related Tech News