Connect with us

Hi, what are you looking for?


How Sophos Uncovered ‘Black Kingdom’ Ransomware Taking Advantage of ProxyLogon Vulnerabilities

Following the reporting of the Microsoft Exchange vulnerabilities and the out-of-band release of security patches on March 2, a growing number of new adversaries are exploiting these bugs to launch attacks, a global cyber security company, Sophos, has discovered.  

Last week Sophos reported on attacks by DearCry ransomware.

To this end, Sophos has published “Black Kingdom Ransomware Begins Appearing on Exchange Servers,” detailing Black Kingdom ransomware that has been targeting Exchange servers that remain unpatched against the ProxyLogon vulnerabilities.

In the report, Sophos said that the Black KingDom ransomware is far from the most sophisticated payload we’ve seen. In fact, the early analysis by Sophos reveals that it is somewhat rudimentary and amateurish in its composition, but it can still cause a great deal of damage.

“It may be related to a ransomware of the same name that appeared last year on machines that, at the time, were running a vulnerable version of the Pulse Secure VPN concentrator software”, Sophos said.

Delivered through a webshell that was sent over Tor

The delivery of Black KingDom was orchestrated from a remote server with an IP address that geolocates to Germany,, while the attacker operated from

Unfortunately, because both IP addresses belong to a Tor exit node, it’s impossible to know where the attackers are physically located.

The threat actor exploited the on-premises versions of Microsoft Exchange Server, abusing the remote code execution (RCE) vulnerability also known as ProxyLogon (CVE-2021-27065).

After successfully breaching the Exchange server, the adversary delivered a webshell. This webshell offers remote access to the server and allows the execution of arbitrary commands.

Some of the key findings are summarized in the following commentary from Mark Loman, a ransomware expert at Sophos and director, engineering technology office, thus:

It’s been three weeks since the release of security patches for the ProxyLogon vulnerabilities, and adversaries are racing against time to target still unpatched Exchange servers. As we saw with DearCry ransomware, this can lead to the release of prototype, rushed or poor quality code created by less experienced developers. Today we report on another example of this, perpetrated by the operators behind Black Kingdom ransomware. 

“The Black Kingdom ransomware targeting unpatched Exchange servers has all the hallmarks of being created by a motivated script-kiddie. The encryption tools and techniques are imperfect but the ransom of $10,000 in bitcoin is low enough to be successful. Every threat should be taken seriously, even seemingly low-quality ones.

“Defenders should take urgent steps to install Microsoft’s patches to prevent exploitation of their Exchange Server. In addition, the Exchange server should be scanned for web shells that allow attackers to run commands on the server. If this is not possible, the server should be disconnected from the internet or closely monitored by a threat response team.”  – Mark Loman, director, engineering technology office, Sophos

 Sophos Intercept X and Sophos Intercept X with EDR against threats attempting to exploit the ProxyLogon Exchange vulnerabilities. 

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


You May Also Like


Federal High Court sitting in Lagos has restrained telecom operators in Nigeria from deactivating or barring any line or sim whose user did not...


QNET, a global lifestyle and wellness-focused direct-selling company is excited to announce the upcoming launch of V-Africa 2024, an event designed to bring together...


Senate Committee on National Agency for Science and Engineering Infrastructure (NASENI) has commended the Agency for championing local content development of Solar-Powered smart irrigation,...


The family of the late Herbert Wigwe, the former group chief executive officer (GCEO) of Access Holdings Plc, has announced arrangements for his burial...