A new python-coded malware is now targeting Microsoft Exchange servers. Experts say it can allow hackers to decrypt important files in these servers.
Security experts confirmed that Microsoft Exchange servers are currently in danger since there’s a new python-coded malware is targeting them. Microsoft is not a stranger when it comes to breaches and other security threats.
Earlier this year Microsoft Exchange servers were targeted by cybercriminals who used a known vulnerability to infect them with the Black Kingdom ransomware. And now, new python-coded malware is also targeting these servers.
The cybersecurity firm Kaspersky has released a new report which provides further insight into how this ransomware strain works along with new details on the cybercriminals behind the new python-coded malware.
While the Black Kingdom ransomware first appeared back in 2019, it became widely known back in March of this year when it was used in a campaign that exploited the ProxyLogon vulnerability, tracked as CVE-2021-27065, in Microsoft Exchange.
However, based on Kaspersky’s analysis of the ransomware, it is an amateurish implementation with several mistakes and a critical encryption flaw that could allow anyone to decrypt the files affected by it using a hardcoded key. To give you more idea, here’s how serious the new python-coded malware is.
Black Kingdom ransomware
Although the end goal of any computer virus strain is to encrypt a system’s files, the author of the Black Kingdom ransomware strain, which is coded in Python, decided to specify certain folders to be excluded from encryption.
This allows the new computer virus to avoid encrypting the Windows, ProgramData, Program Files, Program Filex (x86), AppData/Roaming, AppData/LocalLow, and AppData/Local files on a targeted system in order to avoid breaking it during encryption.
Although this is quite effective, security researchers confirmed that the developers of the new computer virus are still newbies or amateurs. Ransomware developers often end up making mistakes that can allow files to be decrypted easily or sometimes not at all.
When it comes to the Black Kingdom computer virus, the hackers try to upload its encryption key to the cloud storage service Mega. Involved experts explained that these amateurs usually use a hardcoded key to encrypt files if their method failed. If a system’s files have been encrypted and it is unable to make a connection to Mega, it will then be possible to recover these encrypted files using a hardcoded key.
Other Mistakes OF Black Kingdom Developers
Security experts said that since the developers and other malicious creators of the new computer virus are amateurs, they still tend to make various mistakes. One of these is the fact that all of their ransomware notes contain several mistakes as well as the same Bitcoin address.
This is a great flaw since most computer virus strains usually use different URLs so that they will not be easily caught. On the other hand, security experts confirmed that these hackers are actually good cybercriminals since they are paid to look for flaws or find new malware that could easily breach various systems, such as Microsoft Exchange.
As of the moment, the new computer virus is not yet used in serious breaches. However, if other illegal hackers find some ways to use this new malware, it will be troublesome since they can enhance it to perfection.