Originally reported by Bleeping Computer, security researcher Marcus Hutchins recently uncovered a ransomware campaign leveraging the ProxyLogon vulnerabilities in order to spread and infect a wide variety of targets with the BlackKingdom Ransomware. While Hutchins only saw the ransomware drop the “readme.txt” ransom note, Michael Gillespie of ID Ransomware states that his system has seen over 30 unique submissions for this family, with many being submitted from mail servers.
Analyst Notes
As this ransomware leverages the ProxyLogon vulnerabilities, Binary Defense recommends patching if not already done so. Additionally, Microsoft’s MSERT tool can now be used to find web shells from Exchange Server Attacks. Finally, if patching is not an option, Microsoft has released an automatic ProxyLogon mitigation for Microsoft Defender.
https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-now-targeted-by-blackkingdom-ransomware/
