Another ransomware group appears to be taking advantage of the ProxyLogon vulnerability in on-prem Microsoft Exchange servers, giving even more incentive to administrators to patch their installations as soon as possible.
Bleeping Computer is reporting that researchers have detected a strain dubbed BlackKingdom in vulnerable Exchange servers.
The story cites Michael Gillespie, the creator of ID Ransomware, saying he has seen over 30 unique submissions to his system, with many being submitted directly from mail servers.
Victim organizations are reportedly are located in the USA, Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia, and Croatia.
Brett Callow, a British Columbia-based threat researcher with Emsisoft, said that for the time being his firm may be able to help victims of this particular ransomware strain recover encrypted data without charge.
The ransom notes seen by BleepingComputer all demand US$10,000 in bitcoin.
This is the second ransomware group taking advantage of the Exchange openings. Eleven days ago Microsoft reported a group was finding and installing a variant called DearCry on unprotected servers.
Meanwhile, Politico reported Monday that the White House National Security Council says a free Microsoft tool for scanning and fixing the ProxyLogon vulnerabilities has been downloaded 25,000 times since its release. As a result the number of systems open to attack in the U.S. has dropped 45 per cent.
However, worldwide it is believed there are still thousands of Exchange servers that haven’t been patched.
UPDATE: On March 22nd Microsoft said 92 per cent of internet-connected on-premise Exchange servers had been patched or mitigated. That still left about 30,000 around the world unprotected.
Microsoft publicly reported the vulnerabilities on March 2nd, saying a China-based group it dubs Hafnium had been exploiting the holes bugs to access email and install malware to enable long-term access to victim environments.
Security researchers at Dubex initially discovered the issues late last year while looking for vulnerabilities in Exchange. Researchers at Volexity then found other parts of the attack chain.
It isn’t clear how far back Hafnium began exploiting what is called the ProxyLogon holes, but there is evidence that by late February — just before Microsoft’s public announcement — other groups had either been told or had discovered them and were also attempting exploitation.