Security Researcher Lures Microsoft Exchange Ransomware Bandits With Sweet Honeypot

windows hacker hero
This month, Microsoft Exchange vulnerabilities have been cropping up, and bad actors are looking to take advantage of them. It has been rumored, yet not confirmed, that the recent Acer hack stemmed from the Microsoft Exchange vulnerabilities. Now, another group of advantageous criminals are using the Exchange vulnerabilities in an attempt to spook businesses and organizations, it seems.

Over the weekend, security researcher Marcus Hutchins, who goes by MalwareTechBlog on Twitter, reported that he had caught someone running a script on his Exchange servers. The malicious actor, called BlackKingdom, ended up only putting a ransom note in all folders in the D, I, and E drives on the computer.

Based on the logs, the attacker had also previously tried to execute a PowerShell script which would have grabbed a malicious piece of software. In this case, it would not have mattered much as the way he caught the attacker was by a honeypot; a method to lure in someone malicious and sniff them out.

Moreover, as the attacker only left a ransom note and made no other changes, their initial malware probably did not work or as well as desired. Either way, there are still people out looking for vulnerable systems, and admins need to be aware of it, even if the attackers are sometimes declawed. Ultimately, this will not be the last we hear of attackers taking advantage of Exchange servers, so stay tuned to HotHardware for updates.