Security Researcher Lures Microsoft Exchange Ransomware Bandits With Sweet Honeypot
This month, Microsoft Exchange vulnerabilities have been cropping up, and bad actors are looking to take advantage of them. It has been rumored, yet not confirmed, that the recent Acer hack stemmed from the Microsoft Exchange vulnerabilities. Now, another group of advantageous criminals are using the Exchange vulnerabilities in an attempt to spook businesses and organizations, it seems.
Over the weekend, security researcher Marcus Hutchins, who goes by MalwareTechBlog on Twitter, reported that he had caught someone running a script on his Exchange servers. The malicious actor, called BlackKingdom, ended up only putting a ransom note in all folders in the D, I, and E drives on the computer.
Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom "Ransomware", but it doesn't appear to encrypt files, just drops a ransom not to every directory. pic.twitter.com/POYlPYGjsz
— MalwareTech (@MalwareTechBlog) March 21, 2021
Based on the logs, the attacker had also previously tried to execute a PowerShell script which would have grabbed a malicious piece of software. In this case, it would not have mattered much as the way he caught the attacker was by a honeypot; a method to lure in someone malicious and sniff them out.
Moreover, as the attacker only left a ransom note and made no other changes, their initial malware probably did not work or as well as desired. Either way, there are still people out looking for vulnerable systems, and admins need to be aware of it, even if the attackers are sometimes declawed. Ultimately, this will not be the last we hear of attackers taking advantage of Exchange servers, so stay tuned to HotHardware for updates.Black Kingdom switching from actual ransomware to scareware which claims your files were uploaded would suggest the ransomware wasn't working well. The bitcoin address appears to be static, and so far they've received only 1 payment in 3 days. https://t.co/MSQqUogbTq
— MalwareTech (@MalwareTechBlog) March 21, 2021
