Under Attack? Breach Response Hotline: Call 833.997.7327 (US/CAN)

Black Kingdom

Caleb Boma | March 19th, 2021


Article last updated *3/25*

SpearTip’s engineers are tracking another change in the evolving Microsoft Exchange vulnerabilities. Our engineers are heavily monitoring this change in tactics to successfully defend against threat actors leveraging the vulnerability.

Details of Black Kingdom Ransomware Attack

Black Kingdom (also known as DEMON or DemonWare) is the latest malware seen within networks leveraging the Microsoft Exchange vulnerabilities as an initial entry point to push ransomware. The vulnerabilities continue to be heavily exploited with the large uptick in ransomware cases related to these vulnerabilities beginning around March 2nd when public alerting began along with proof of concept exploits being released.

The Black Kingdom ransomware threat actors in the past have relied heavily on exploiting Pulse Secure VPN vulnerabilities, now based on available information it appears they are improving their initial access strategy. The Black Kingdom caught even more attention due to their file extensions typically black_kingdom, .DEMON, or .death.

Black Kingdom ransomware is unique in the way it packages and executes its ransomware. Instead of using typical memory injection techniques, Black Kingdom uses PyInstaller to package Python applications into stand-alone executables. (During our initial discovery, Black Kingdom was using py2exe to create executables.) After creation, the ransomware group will first push Python to a machine using PyInstaller followed by pushing the ransomware executable to allow it to operate effectively.

SpearTip has collected research from multiple environments showing the Black Kingdom attempting to run ransomware after initial exploitation of the available Microsoft exchange vulnerabilities. With patches readily available, it is more important than ever to not only patch your system but to deploy monitoring tools to stop these threats from running in your environment. Having a Security Operations Center monitoring your environment 24/7 gives you a leg up on threat actors.

The Exchange vulnerabilities affect the following servers:

Microsoft Exchange Server 2013

Microsoft Exchange Server 2016

Microsoft Exchange Server 2019

SpearTip has seen an extremely large increase in the likelihood of ransomware being deployed when companies did not patch exchange servers past the initial alert earlier this month. This exchange vulnerability gives full access to an environment for dumping credentials and in this case, deploying ransomware.

SpearTip constantly monitors partners for threats related to the Exchange vulnerability and is actively monitoring other threat actors utilizing the Exchange vulnerability to push ransomware and steal data.


Connect With Us

Featured Articles

OAuth Apps
Warning About OAuth Apps Used in BEC and Cryptomining Attacks
26 February 2024
Cybercrime Cases
FBI’s Biggest Cybercrime Cases in 2023
21 February 2024
Ransomware Groups
What To Expect From Ransomware Groups in 2024
19 February 2024
Cloud Threat Detection and Response
Improving Cloud Threat Detection and Response in 2024
16 February 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.