According to Sophos, the Black KingDom ransomware isn't the most sophisticated payload, as analysis reveals that it's somewhat rudimentary in its composition, but still, it can cause a great deal of damage to users of Exchange Servers. It exploited the on-premises version of Microsoft Exchange Server, thereby abusing ProxyLogon, the remote code execution (RCE) vulnerability.
Sophos telemetry detected the ransomware on March 18 as it targets Exchange servers that were unpatched against the ProxyLogon vulnerabilities, alongside the DearCry ransomware attacks reported last week.
How the Black Kingdom ransomware spreads on Exchange servers?
Black KingDom ransomware was orchestrated from a remote server with the IP address, 220.127.116.11 which corresponds to Germany, and the threat actors operated from 18.104.22.168; albeit both IP addresses belong to a Tor exit node, which makes it impossible to know exactly where the attackers are located.
It exploited the on-premises versions of Microsoft Exchange Server, which after successfully breaching the Exchange server, the attacker delivered a webshell by abusing the remote code execution (RCE) vulnerability also known as ProxyLogon.
The webshell provides remote access to the server, thus allowing the execution of arbitrary commands. And the ransomware binary is based on a Python script compiled into an executable via PyInstaller. The Sophos researchers were able to decompile the binary to its original source code to understand the ransomware’s functions.
The source code was named 0xfff.py, with the “fff” representing a hexadecimal value for the decimal number 4095; though the significance remains a mystery.
How to Detect Black KingDom ransomware attacks
The Black KingDom ransomware payload can be detected with Troj/Ransom-GFU, Troj/Ransom-GFV and Troj/Ransom-GFP or simply by the CryptoGuard capability within the Sophos endpoint protection Intercept X. SophosLabs has also published indicators of compromise to Github.
Cyber Threat hunters running Sophos EDR may also utilize the queries posted here to find further indicators of compromise on their networks.