A report released yesterday on the recent BlackKingdom ransomware by Sophos has revealed a detailed look at the ransomware’s inner workings. The report lists several indicators for detecting ProxyLogon (CVE-2021-27065) attacks by the group and walks through the recovered Python source code. One detail that surprised many is that unlike most ransomware variants, BlackKingdom does not bother to check if it has been run on the infected host before. Although it still appends a randomly generated file extension to each encrypted file, these are ultimately ignored by the ransomware itself. As pointed out by Marcus Hutchins on Twitter, several victims have been encrypted multiple times because of this oversight. Meaning that even victims who pay the ransom demands may not recover their files. Hutchins and Kevin Beaumont also point out that the ransomware does not exclude critical system files outside the C:Windows directory, leading to some infected hosts becoming unstable and unable to reboot.
Binary Defense highly recommends that all organizations who have yet to patch download Microsoft’s recently released One-Click Microsoft Exchange On-Premises Mitigation Tool. While this does not replace Windows Update in any way, it assists administrators in remediating the recent Exchange attacks (CVE-2021-26855). Binary Defense also highly recommends that organizations follow the guidance in the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. These guides contain detailed information for small and large businesses alike, describing how to backup and protect data, creating incident response plans and more.