Recently, operators of the Black Kingdom ransomware have been observed targeting organizations with unpatched Pulse Secure VPN server flaws to spread their ransomware. Originally detected by the Polish security company REDTEAM.PL, the threat actors seem to initially gain a foothold in networks by exploiting CVE-2019-11510, which was a critical Pulse VPN flaw patched in April 2019. Once a foothold is established, encoded PowerShell will be used to download and execute a reverse shell giving the threat actors full control over infected victims.

Current ransoms are set at $10,000 USD, but analysis of the Bitcoin address listed in the ransom instructions shows that only two incoming transactions totaling a little over $5000 USD have been paid. If victims do not pay the ransom, the criminals threaten to destroy or sell the data. It is not clear whether the threat actors behind the Black Kingdom actually steal copies of files before encrypting them, but other ransomware groups have recently auctioned or freely distributed files that they allegedly stole from victims after failing to negotiate a ransom payment.