Security Researcher Lures Microsoft Exchange Ransomware Bandits With Sweet Honeypot
Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom "Ransomware", but it doesn't appear to encrypt files, just drops a ransom not to every directory. pic.twitter.com/POYlPYGjsz— MalwareTech (@MalwareTechBlog) March 21, 2021
Moreover, as the attacker only left a ransom note and made no other changes, their initial malware probably did not work or as well as desired. Either way, there are still people out looking for vulnerable systems, and admins need to be aware of it, even if the attackers are sometimes declawed. Ultimately, this will not be the last we hear of attackers taking advantage of Exchange servers, so stay tuned to HotHardware for updates.
Black Kingdom switching from actual ransomware to scareware which claims your files were uploaded would suggest the ransomware wasn't working well. The bitcoin address appears to be static, and so far they've received only 1 payment in 3 days. https://t.co/MSQqUogbTq— MalwareTech (@MalwareTechBlog) March 21, 2021