Cybersecurity company Cyberint has released a proof-of-concept (PoC) Python script to decrypt files encrypted by the Black KingDom ransomware. Black KingDom, responsible for infecting thousands of vulnerable Microsoft Exchange servers, took advantage of the recent “ProxyLogon” set of vulnerabilities to spread. Like most ransomware, it randomly generated its encryption key. However, the actors decided to utilize the cloud storage provider Mega to exfiltrate a text file containing the encryption key and victim identifier rather than protecting the key through asymmetric cryptography which uses a public and private pair of keys. To ensure that victims’ files would still be encrypted in the event that the account was no longer accessible, the actors also hardcoded an encryption key. As luck would have it, the actors lost control of the account and infections began using the hardcoded key. It is not currently known whether or not Mega will intervene to release encryption keys that were successfully uploaded.
Analyst Notes
Binary Defense strongly recommends all administrators patch Exchange servers if they have not already done so. Microsoft has released the “One-Click Microsoft Exchange On-Premises Mitigation Tool” to make it as easy as possible. Any victims of the Black KingDom ransomware are advised to read through the Python script provided by Cyberint which takes advantage of the hardcoded encryption key to decrypt some victim’s files. Binary Defense also highly recommends that all organizations follow guidance in the CISA (Cybersecurity & Infrastructure Agency) and NCSC (National Cyber Security Centre) ransomware guides. These guides contain detailed information for small and large businesses alike, describing how to backup and protect data, creating incident response plans and more.
Source: https://blog.cyberint.com/black-kingdom-ransomware
