Microsoft Exchange Servers have faced another series of attacks conducted by a gang of hackers who used ransomware. The attack has exploited several organizations that were unprepared for what was happening.
The ransomware, called "Black Kingdom," was seen as the culprit in infecting over 100,000 servers. Even though the company has already created an emergency patch, the vulnerabilities of the servers just kept growing.
Microsoft Exchange Servers Suffers a Second Attack from Ransomware Gang
In a report by ZDNET, 92% of the entire Exchange servers were reported to be extremely vulnerable, but now Microsoft acted upon this problem through its mitigation techniques.
According to the Security Response Team, the emergency patch has led to a 43% improvement compared to the attack that happened last week.
"The Black Kingdom," also known as the DemonWare, or the Demon, has been demanding $100,000 from Microsoft. Security researchers stated that the said amount would be used to recover the encrypted data affected by the attack.
Previously, the same malware has already invaded the company's email by exposing an alarming rate of vulnerability of the Exchange servers.
Speartip reported that last week, Black Kingdom was discovered to have no ability to encrypt the system's files, as Kryptos Logic security researcher Marcus Hutchins said. The hackers exploited the attacks by putting a web shell through an open URL that anyone can access.
On Tuesday, Mar. 23, the inability of the malware to encrypt files was confirmed by Kevin Beaumont, Microsoft's Threat Intelligence analyst. The Black Kingdom was discovered in February and June when the Red Team found it out.
In many cases, the ransomware relies on a different encryption method where the data can be retrieved without ransom payment.
Patching Will Not Suffice to Address the Attack
Microsoft said that there was another variation of the ransomware. Its name was "DearCry," which focuses on the Hafnium-infected exchange servers.
Hafnium is a Chinese company sponsored by hackers. It was known to be the first user of ProxyLogon, the name of the chained attack that manipulated the entire Exchange servers.
It was also reported that the team behind the "DearCry" ransomware attached another system that they will use to infect other servers. Earlier this March, there were about 120,000 systems that are subject to vulnerability issues.
Even though Microsoft has already applied patching servers, it was still not a reliable solution to solve the attacks. The possibility of being infected was still high regardless if the system has already received a security update.
If you want to learn how to run the mitigation script provided by Microsoft, click here. This will help the organizations to be aware of the upcoming attacks of malware in the future. This will also make them more prepared, but for now, improving the security response to the issue could at least alleviate the problem.
Related Article : 11 Zero-Day Vulnerabilities Recorded - Android, iOS, and Windows Devices Are Infected
This article is owned by Tech Times.
Written by Joen Coronel