BlackKingdom ransomware still exploiting insecure Exchange servers

Paul Ducklin

3 years ago

It’s three weeks since the word HAFNIUM hit the news.

The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot.

The Hafnium crew, it turned out, not only knew about four zero-day vulnerabilities in Microsoft Exchange, but also knew how to exploit these bugs reliably in order to walk into unprotected networks almost at will.

The Exchange bugs didn’t include a remote code exeution (RCE) hole to give the crooks the direct and immediate access to a compromised server, but the bugs did allow the crooks to rig up RCE using a trick known as a webshell.

Greatly simplified, the attack goes like this:

Exploit the Exchange bugs to write a booby-trapped web file called a webshell onto a vulnerable server.
Trigger the booby-trapped web page hosting the webshell to run a Powershell (or similar) command to download further malware, such as a fully-featured backdoor toolkit.
Enter at will and, very loosely speaking, commit whatever cybercrimes are on today’s “to do” list.

Unfortunately, as we explained when this news first broke, the name Hafnium caused fourfold confusion:

Although Hafnium is often written in ALL CAPS, it’s not an acronym, so it doesn’t stand for something specific that you can protect against and then stand down from.
Although Hafnium refers to a specific cybergang, the zero-day exploits they were using were already widely known to other criminals, and working examples soon became available online for anyone and everyone to download and use, both for legitimate research and for launching attacks.
Although Hafnium attacks were associated with Microsoft Exchange in media coverage, the attacks these crooks were carrying out once they got in were not specific to networks using Exchange. The cybercrimes they ultimately committed could be initiated in many other ways.
Although Hafnium was associated with data exfiltration and thus with potential industrial espionage, intrusions via these Exchange bugs could lead to many other crimes, notably including ransomware attacks.

It’s the last of these issues that concerns us here, because the Sophos Managed Threat Response team recently investigated a number of cases in which networks that hadn’t been patched against the abovementioned Exchange bugs had been infiltrated and attacked by a strain of ransomware going by the dramatic name of BlackKingdom.

In case you’re wondering, the crooks variously refer to their own ransomware using two words, weirdly written Black KingDom, as well using one word, as we’ve written it here. (We’ll stick to BlackKingdom in order to make it clear that we are talking about a specific threat, in the same way that we might write WannaCry or TeslaCrypt.)

The bugs exploited in this case are now widely referred to as ProxyLogon, which is the popular name used to refer to attacks that start off by using the Exchange bug CVE-2021-26855, typically followed by using CVE-2021-27065 and perhaps CVE-2021-26857 and CVE-2021-26858. The name ProxyLogin is a better word to use than Hafnium if you’re specifically talking about an intrusion initiated by those bugs, because the name isn’t tied to any criminal gang, and doesn’t imply any specific reason for the attack.

How it works

If you’re after the low-level details of BlackKingdom, you’ll be glad to know that SophosLabs has published a technical analysis of the malware program that does the dirty work.

Read the Labs report if you want to find out exactly how the malware works, and to get indicators of compromise you can look for on your network and in your own logs.

Although BlackKingdom is not technically sophisticated, that’s cold comfort if it’s just scrambled all your files.

As SophosLabs put it:

[O]ur early analysis reveals that it is somewhat rudimentary and amateurish in its composition, but it can still cause a great deal of damage.

Black Kingdom ransomware begins appearing on Exchange servers

What it does

Like many families of ransomware, this one:

Skips folders needed to keep Windows running, including ‘C:\Windows’, ‘C:\Program Files (x86)’, ‘C:\Program Files’ and various folders under your ‘AppData’ directory. The crooks want to be sure you can still boot Windows, read their blackmail demand and get online to buy bitcoins to pay the extortion.
Stops any SQL server processes running, if the malware has administrator level powers, thus unlocking your database files so that they can be attacked along with everything else.
Scrambles files on all drives it can find, including mounted network drives and removable disks that were plugged in at the time.
Overwrites files in place, so there are no temporary copies of your unencrypted files left behind. This makes it hard to restore files by using disk recovery or “undelete” tools.
Chooses a new encryption key for each computer, so that the decryption key for one PC won’t work on another.
Never saves the decryption key to disk, so that you can’t undelete or easily recover it later. The malware uploads the key from your computer to an online file storage service, where the crooks can later download it but you can’t.
Pops up a blackmail demand when it’s done. The malware also writes a text file with the criminals’ demands in it to a file called decrypt_file.TxT.
Deletes the Windows Event logs, if it can, making it harder and more time consuming to try to figure out exactly what happened afterwards.

The blackmail demand starts like this:

***************************
| what happened           ?
***************************

We hacked your (( Network )), and now all files, 
documents, images, databases and other important data 
are safely encrypted using the strongest algorithms ever.
You cannot access any of your files or services .
But do not worry. You can restore everthing and get back 
business very soon ( depends on your actions )

before I tell how you can restore your data, 
you have to know certain things :

We have downloaded most of your data ( especially 
important data ) , and if you don't  
contact us within 2 days, your data will be released 
to the public.

The amount demanded is $10,000 in Bitcoin for each computer attacked:

1- Send the decrypt_file.txt file to the following email ===> [REDACTED]

2- send the following amount of US dollars ( 10,000 ) worth 
of bitcoin to this address :

[REDACTED]

3- confirm your payment by sending the transfer url to our email address

4- After you submit the payment, the data will be removed from our servers, 
and the decoder will be given to you, so that you can recover all your files.

Whether or not the criminals behind this attack really are routinely stealing their victims’ files before scrambling them, we aren’t sure.

However, as you will see from the SophosLabs analysis, the ransomware program that produces this message was installed and executed using the ProxyLogon exploits, which allow remote crooks to implant and run almost any program they want.

So even if they didn’t steal all your data first, they almost certainly could have…

…and so could any other crooks who came across your unpatched servers before, during or after the BlackKingdom attack.

What to do?

Patch early, patch often. If you are at risk of a BlackKingdom attack unleashed via the ProxyLogon exploits, then your network is as good as open for anyone to get in and do almost anything, at any time they want.
Do your backups. That way you can recover from losing your data no matter how it happens. A simple memory aid is “3-2-1”, which means you should have at least three different copies (the one you are using now plus two or more spares), using at least two different backup systems (in case one should let you down), and with at least one copy stored offline and preferably offsite (where the crooks can’t tamper with it during an attack).
Peruse your logs. Crooks don’t always succeed at their first attempt, so keep your eye open for signs that an attack may be under way.
Consider an anti-virus with data scrambling protection. For example, Sophos endpoint products include CryptoGuard, which detects ransomware generically by how it behaves, not by what it looks like. If CryptoGuard spots what it thinks is a rogue file-encrypting program, it can not only step in to block the attack but also automatically reverse any encryption that’s happened so far.

By the way, there are a few peculiarities about the BlackKingdom malware that give you a small (though it may admittedly only be a very small) chance of recovering your data, even if you don’t have a backup, without paying the criminals for the decryption key.

So if you do end up as a victim of this attack, talk to someone you know and trust for advice before you rush into any ill-considered response.

If you have suffered any sort of cybercrime attack, including but not limited to ransomware, and you don’t have an IT partner of your own to turn to, the Sophos Managed Threat Response or Sophos Rapid Response team would be happy to hear from you.

LEARN MORE: HAFNIUM EXPLAINED IN PLAIN ENGLISH

Original video here: https://www.youtube.com/watch?v=xVasO4k-mMQ
Click the cog icon to speed up playback or show live subtitles.