Caleb Boma | March 19th, 2021

Article last updated *3/25*

SpearTip’s engineers are tracking another change in the evolving Microsoft Exchange vulnerabilities. Our engineers are heavily monitoring this change in tactics to successfully defend against threat actors leveraging the vulnerability.

Black Kingdom (also known as DEMON or DemonWare) is the latest malware seen within networks leveraging the Microsoft Exchange vulnerabilities as an initial entry point to push ransomware. The vulnerabilities continue to be heavily exploited with the large uptick in ransomware cases related to these vulnerabilities beginning around March 2nd when public alerting began along with proof of concept exploits being released.

The Black Kingdom ransomware threat actors in the past have relied heavily on exploiting Pulse Secure VPN vulnerabilities, now based on available information it appears they are improving their initial access strategy. Black Kingdom caught even more attention due to their file extensions typically black_kingdom, .DEMON, or .death.

Black Kingdom ransomware is unique in the way they package and execute their ransomware. Instead of using typical memory injection techniques, Black Kingdom uses PyInstaller to package Python applications into stand-alone executables. (During our initial discovery, Black Kingdom was using py2exe to create executables.) After creation, the ransomware group will first push python to a machine using PyInstaller followed by pushing the ransomware executable to allow it to operate effectively.

SpearTip has collected research from multiple environments showing Black Kingdom attempting to run ransomware after initial exploitation of the available Microsoft exchange vulnerabilities. With patches readily available, it is more important than ever to not only patch your system, but to deploy monitoring tools to stop these threats from running in your environment. Having a Security Operations Center monitoring your environment 24/7 gives you a leg up on threat actors.

The Exchange vulnerabilities affect the following servers:

Microsoft Exchange server 2013

Microsoft Exchange server 2016

Microsoft Exchange server 2019

SpearTip has seen an extremely large increase in the likelihood of ransomware being deployed when companies did not patch exchange servers past the initial alerting earlier this month. This exchange vulnerability gives full access to an environment for dumping credentials and in this case, deploying ransomware.

SpearTip constantly monitors partners for threats related to the Exchange vulnerability and is actively monitoring for other threat actors utilizing the Exchange vulnerability to push ransomware and steal data.