Cybersecurity company Cyberint has released a proof-of-concept (PoC) Python script to decrypt files encrypted by the Black KingDom ransomware. Black KingDom, responsible for infecting thousands of vulnerable Microsoft Exchange servers, took advantage of the recent “ProxyLogon” set of vulnerabilities to spread. Like most ransomware, it randomly generated its encryption key. However, the actors decided to utilize the cloud storage provider Mega to exfiltrate a text file containing the encryption key and victim identifier rather than protecting the key through asymmetric cryptography which uses a public and private pair of keys. To ensure that victims’ files would still be encrypted in the event that the account was no longer accessible, the actors also hardcoded an encryption key. As luck would have it, the actors lost control of the account and infections began using the hardcoded key. It is not currently known whether or not Mega will intervene to release encryption keys that were successfully uploaded.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in