Ransomware operators are piling on already hacked Exchange servers

by
Dan Goodin
from Ars Technica - All content on (#5FQ25)
ransom-note-640x360.jpg

(credit: Aurich Lawson / Ars Technica)

Microsoft Exchange servers compromised in a first round of attacks are getting infected for a second time by a ransomware gang that is trying to profit from a rash of exploits that caught organizations around the world flat-footed.

The ransomware-known as Black Kingdom, DEMON, and DemonWare-is demanding $10,000 for the recovery of encrypted data, security researchers said. The malware is getting installed on Exchange servers that were previously infected by attackers exploiting a critical vulnerability in the Microsoft email program. Attacks started while the vulnerability was still a zero-day. Even after Microsoft issued an emergency patch, as many as 100,000 servers that didn't install it in time were infected.

Opportunity knocks

The hackers behind those attacks installed a web shell that allowed anyone who knew the URL to completely control the compromised servers. Black Kingdom was spotted last week by Security firm SpearTip. Marcus Hutchins, a security researcher at security firm Kryptos Logic, reported on Sunday that the malware didn't actually encrypt files.

Read 12 remaining paragraphs | Comments

index?i=LYVOmxMVBn8:QPGfrJsTxWw:V_sGLiPB index?i=LYVOmxMVBn8:QPGfrJsTxWw:F7zBnMyn index?d=qj6IDK7rITs index?d=yIl2AUoC8zA
External Content
Source RSS or Atom Feed
Feed Location http://feeds.arstechnica.com/arstechnica/index
Feed Title Ars Technica - All content
Feed Link https://arstechnica.com/
Reply 0 comments