Earlier this year Microsoft Exchange servers were targeted by cybercriminals who used a known vulnerability to infect them with the Black Kingdom ransomware.
Now the cybersecurity firm Kaspersky has released a new report which provides further insight into how this ransomware strain works along with new details on the cybercriminals behind it.
While the Black Kingdom ransomware first appeared back in 2019, it became widely known back in March of this year when it was used in a campaign that exploited the ProxyLogon vulnerability, tracked as CVE-2021-27065, in Microsoft Exchange.
However, based on Kaspersky’s analysis of the ransomware, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow anyone to decrypt the files affected by it using a hardcoded key.
Black Kingdom ransomware
Although the end of goal of any ransomware strain is to encrypt a system’s files, the author of the Black Kingdom ransomware strain, which is coded in Python, decided to specify certain folders to be excluded from encryption.
The ransomware avoids encrypting the Windows, ProgramData, Program Files, Program Filex (x86), AppData/Roaming, AppData/LocalLow and AppData/Local files on a targeted system in order to avoid breaking it during encryption. However, the way in which the code that implements this functionality is written was a clear sign to Kaspersky that its creators may have been amateurs.
Ransowmare developers often end up making mistakes that can allow files to be decrypted easily or sometimes not at all. The Black Kingdom ransomware for instance tries to upload its encryption key to the cloud storage service Mega but if this fails, a hardcoded key is used to encrypt the files instead. If a system’s files have been encrypted and it is unable to make a connection to Mega, it will then be possible to recover these encrypted files using a hardcoded key.
Another mistake made by Black Kingdom’s creators and observed by Kaspersky’s researchers is the fact that all of their ransomware notes contain several mistakes as well as the same Bitcoin address. Other ransomware families provide a unique address for each victim which makes it much more difficult to…