Black Kingdom/Pydomer Ransomware Operators Targeting the Exchange Server Vulnerabilities

Exchange Server

Threat actors targeting the Exchange Server vulnerabilities that Microsoft revealed in early March have now included the Black Kingdom/Pydomer ransomware.

Despite the availability of additional mitigations, the zero-day vulnerabilities had been targeted in live attacks long before patches were released on March 2, with exponentially more adversaries picking them up over the past three weeks.

The number of unpatched Exchange installations has decreased dramatically, from about 80,000 on March 14 to less than 30,000 on March 22.

“As of today, we’ve seen a substantial reduction in the number of servers that are still vulnerable – over 92 percent of identified global Exchange IPs have been fixed or mitigated. In a March 25 blog post, Microsoft said, “We continue to work with our customers and partners to mitigate the vulnerabilities.”

The number of attacks on the still-vulnerable servers, on the other hand, hasn’t decreased. More malware families and botnets are now attempting to hack the insecure servers, according to the tech firm.

More than two weeks ago, DoejoCrypt, also known as DearCry, was the first ransomware family to threaten the Exchange vulnerabilities. According to Microsoft, the Black Kingdom/Pydomer ransomware has since entered the fray.

Pydomer operators were seen mass scanning for and attempting to compromise unpatched Exchange servers. Pydomer operators are reported to be targeting publicly revealed vulnerabilities, including Pulse Safe VPN flaws.

“They began later than some other attackers, with several compromises happening between March 18 and March 20, when there were less unpatched systems available,” the tech giant notes.

The gang’s webshell was found on about 1,500 servers, but ransomware wasn’t installed on any of them. According to Microsoft, the adversaries are likely to try to monetize the gained unauthorised access in a different way.

However, on systems where the ransomware was installed, the attackers used a “non-encryption extortion technique,” dropping only a ransom note to warn victims of their demands.

The tech firm warns that if the note is found, it should be taken seriously since the attackers had complete access to networks and were possibly able to exfiltrate data.

Another adversary to join the Exchange party in recent weeks was the group behind the Lemon Duck cryptocurrency botnet, which used “a fileless/web shell-less choice of direct PowerShell commands from w3wp (the IIS worker process) for some attacks,” but relied on a variety of exploit styles in others.

Although continuing to run their usual email-based campaigns, the Lemon Duck operators infiltrated multiple Exchange servers and developed into more of a malware loader than a simple miner, according to Microsoft.

Attacks on Exchange servers can continue to have an effect on organisations even after patches have been implemented, according to the company, due to the use of stolen credentials or persistent access.

“Attackers use a combination of on-premises Exchange Server vulnerabilities to get around security and write files and run malicious code. “Updating to a supported Cumulative Update and installing all security patches is the safest and most complete remediation for these vulnerabilities,” Microsoft concludes.

Melina Richardson
Melina Richardson is a Cyber Security Enthusiast, Security Blogger, Technical Editor, Certified Ethical Hacker, Author at Cybers Guards. Previously, he worked as a security news reporter.