Black Kingdom ransomware, which was detected in recent ProxyLogon attacks against Microsoft Exchange servers was, at least temporarily, foiled through a simple password change.
Brett Callow, Emsisoft threat analyst, told SearchSecurity that Black Kingdom was designed to generate and upload encryption keys to Mega, a cloud storage service. However, he added, if the ransomware is unable to reach Mega, it defaults to a static, local key. At some point during recent attacks, Black Kingdom seemingly failed to encrypt targeted systems, and in some cases defaulted to the static key.
"Somebody has changed the password to the Mega account, which means the ransomware cannot reach it and reverts to using the hardcoded key, which means we may be able to help people recover their data because we have the hardcoded key," Callow said.
Though it's unclear when exactly the password was changed, Callow told SearchSecurity about the change on Monday morning (SearchSecurity agreed to not publish the information immediately in order to not alert Black Kingdom threat actors that the ransomware had been disrupted).
Mark Loman, Sophos director of engineering for next-gen technologies, wrote a blog post Tuesday on the ransomware that mentioned its inner workings with Mega. Loman told SearchSecurity that because there's a static key encryptor, it can also be decrypted with that static key. He also confirmed that the ransomware is unable to connect to Mega.
"At the moment, the ransomware cannot connect to Mega, because I tried the username and password. So that means that if there are victims hit by Black Kingdom ransomware at the moment, they're either attacked by a different, new version that has a ..
Support the originator by clicking the read the rest link below.
