A report released yesterday on the recent BlackKingdom ransomware by Sophos has revealed a detailed look at the ransomware’s inner workings. The report lists several indicators for detecting ProxyLogon (CVE-2021-27065) attacks by the group and walks through the recovered Python source code. One detail that surprised many is that unlike most ransomware variants, BlackKingdom does not bother to check if it has been run on the infected host before. Although it still appends a randomly generated file extension to each encrypted file, these are ultimately ignored by the ransomware itself. As pointed out by Marcus Hutchins on Twitter, several victims have been encrypted multiple times because of this oversight. Meaning that even victims who pay the ransom demands may not recover their files. Hutchins and Kevin Beaumont also point out that the ransomware does not exclude critical system files outside the C:\Windows directory, leading to some infected hosts becoming unstable and unable to reboot.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased