Black Kingdom

Caleb Boma | March 19th, 2021


Article last updated *3/25*

SpearTip’s engineers are tracking another change in the evolving Microsoft Exchange vulnerabilities. Our engineers are heavily monitoring this change in tactics to successfully defend against threat actors leveraging the vulnerability.

Details of Black Kingdom Ransomware Attack

Black Kingdom (also known as DEMON or DemonWare) is the latest malware seen within networks leveraging the Microsoft Exchange vulnerabilities as an initial entry point to push ransomware. The vulnerabilities continue to be heavily exploited with the large uptick in ransomware cases related to these vulnerabilities beginning around March 2nd when public alerting began along with proof of concept exploits being released.

The Black Kingdom ransomware threat actors in the past have relied heavily on exploiting Pulse Secure VPN vulnerabilities, now based on available information it appears they are improving their initial access strategy. The Black Kingdom caught even more attention due to their file extensions typically black_kingdom, .DEMON, or .death.

Black Kingdom ransomware is unique in the way it packages and executes its ransomware. Instead of using typical memory injection techniques, Black Kingdom uses PyInstaller to package Python applications into stand-alone executables. (During our initial discovery, Black Kingdom was using py2exe to create executables.) After creation, the ransomware group will first push Python to a machine using PyInstaller followed by pushing the ransomware executable to allow it to operate effectively.

SpearTip has collected research from multiple environments showing the Black Kingdom attempting to run ransomware after initial exploitation of the available Microsoft exchange vulnerabilities. With patches readily available, it is more important than ever to not only patch your system but to deploy monitoring tools to stop these threats from running in your environment. Having a Security Operations Center monitoring your environment 24/7 gives you a leg up on threat actors.

The Exchange vulnerabilities affect the following servers:

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

SpearTip has seen an extremely large increase in the likelihood of ransomware being deployed when companies did not patch exchange servers past the initial alert earlier this month. This exchange vulnerability gives full access to an environment for dumping credentials and in this case, deploying ransomware.

SpearTip constantly monitors partners for threats related to the Exchange vulnerability and is actively monitoring other threat actors utilizing the Exchange vulnerability to push ransomware and steal data.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.