MS Exchange Servers Are Quickly Being Patched, But ProxyLogon Hackers Are Running Rampant
Black Hat hackers, or simply cybercriminals, can be effective in stealing, leaking, or encrypting data in efforts to extort money from organizations. With the advent of the ProxyLogon vulnerabilities for Microsoft Exchange servers, attackers are now taking advantage of the situation and may ramp up attacks in the coming weeks.
Earlier this week, we reported on BlackKingdom attempting to encrypt files on vulnerable Exchange servers and they are at it again. Yesterday, Microsoft Senior Threat Intelligence Analyst Kevin Beaumont reported that BlackKingdom ransomware had, in fact, encrypted files on his honeypot servers. What the criminals failed to do is exclude system critical files so when the system was turned off, it would not boot afterward. That is not all that helpful if you are trying to send a message and collect a ransom.
BlackKingdom ransomware on my personal servers. It does indeed encrypt files. They exclude c:\windows, however my storage drivers were in a different folder and it encrypted those... meaning the server doesn't boot any more. If you're reading BlackKingdom, exclude *.sys files pic.twitter.com/nUVUJTbcGO
— Kevin Beaumont (@GossiTheDog) March 23, 2021
Thankfully, as time goes on, vulnerable servers are decreasing in number, with Microsoft reporting “92% of worldwide Exchange IPs are now patched or mitigated.” That still leaves 8% vulnerable and many criminals will still go after those remaining targets. MalwareTech tweeted earlier today that the BlackKingdom ransomware is the worst he has seen with the potential of recursive encryption occurring.
Our work continues, but we are seeing strong momentum for on-premises Exchange Server updates:
— Security Response (@msftsecresponse) March 22, 2021
• 92% of worldwide Exchange IPs are now patched or mitigated.
• 43% improvement worldwide in the last week. pic.twitter.com/YhgpnMdlOX
