Recently, operators of the Black Kingdom ransomware have been observed targeting organizations with unpatched Pulse Secure VPN server flaws to spread their ransomware. Originally detected by the Polish security company REDTEAM.PL, the threat actors seem to initially gain a foothold in networks by exploiting CVE-2019-11510, which was a critical Pulse VPN flaw patched in April 2019. Once a foothold is established, encoded PowerShell will be used to download and execute a reverse shell giving the threat actors full control over infected victims.
Current ransoms are set at $10,000 USD, but analysis of the Bitcoin address listed in the ransom instructions shows that only two incoming transactions totaling a little over $5000 USD have been paid. If victims do not pay the ransom, the criminals threaten to destroy or sell the data. It is not clear whether the threat actors behind the Black Kingdom actually steal copies of files before encrypting them, but other ransomware groups have recently auctioned or freely distributed files that they allegedly stole from victims after failing to negotiate a ransom payment.
Analyst Notes
Recommendations: The vulnerability these actors are abusing was patched in April 2019. Binary Defense recommends patching all vulnerable systems. If patching is not an option, CISA has produced an excellent writeup on detecting and mitigating this flaw in environments: https://www.us-cert.gov/ncas/alerts/aa20-107a. In any case, critical servers and workstations should be continuously monitored for signs of intrusions by detecting attacker behaviors and cutting off remote access before the attackers have a chance to expand their access to critical servers and launch ransomware programs. The chain of events leading up to Black Kingdom ransomware can be recognized and stopped by Endpoint Detection and Response (EDR) software, as long as there are security analysts monitoring events.
https://www.bleepingcomputer.com/news/security/black-kingdom-ransomware-hacks-networks-with-pulse-vpn-flaws/
