The dangers of not timely patching enterprise systems were further highlighted with the news of the Black Kingdom ransomware in March end. This new strain of ransomware called “The Black Kingdom” started attacking Microsoft Exchange servers on March 18th that had not yet been updated with an earlier patch that had been released for a flaw in Exchange.
This ransomware targets a flaw within Microsoft Exchange servers and is a Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-26855). According to Microsoft, the vulnerability is part of an attack chain being used by Hafnium, a Chinese state-sponsored group that was exploiting zero-day vulnerabilities. It allows an attacker to bypass authentication, impersonate an administrator account and execute commands on the server.
How the Black Kingdom operates
Security researchers investigated the attack and found that the Black Kingdom ransomware first enters unpatched and vulnerable Exchange servers, dropping a ransom note demanding USD 10,000 in bitcoin. This was a scare tactic to make users believe that their data had been encrypted and stolen.
Later, other reports stated that the ransomware evolved and managed to encrypt files on compromised servers. While the ransomware appeared to be unsophisticated and not created by a particularly advanced group, it still has enough potential to cause damage. One report suggested that a user had already paid USD 9400 in bitcoin as ransom. Despite the attack being not very sophisticated, the ransom demanded was quite low which might compel many enterprises to pay the amount in desperation, a very bad move opening them up to further attacks.
As a ransomware threat, Black Kingdom is an example of a danger that may not be very sophisticated but still has the potential to create damage. It’s another lesson for enterprises to focus on anti-ransomware protection.
Patch regularly & often
The biggest protection against the Black Kingdom and many other threats is regular, consistent patching. Microsoft Exchange is used by a huge number of enterprises, making it a popular target for attackers. The importance of patching cannot be overemphasized. Vulnerabilities will continue to be discovered in various types of regularly-used software – that’s just a given nowadays. But manufacturers are always quick on the update to release patches that plug those gaps. If enterprises don’t have the discipline to ensure their systems are consistently and regularly patched and updated, they open themselves up to major risks.
Incident Response planning
Every organization must have a structured and detailed Incident Response Plan clearly articulating the rules of engagement during threats such as the Black Kingdom. This will ensure that chaos is limited and there is a defined and methodical protocol for actions to be taken. It should also be ensured that this Incident Response Plan is regularly tested and updated as and when required.
Enterprises should deploy security solutions with in-built anti-ransomware protection. Seqrite’s Endpoint Security (EPS) provides enterprises with the right tools to ensure data protection for a secured enterprise. Using Seqrite’s behaviour-based detection technology, EPS detects and blocks ransomware threats and regularly backs up data in a secured location to ensure easy restoration of files in the event of a ransomware attack.
The post All you need to know about the Black Kingdom ransomware targeting Exchange servers appeared first on Seqrite Blog.