The ransomware campaign, BlackKingdom, has been attacking Microsoft Exchange Server by exploiting ProxyLogon vulnerabilities in order to deploy ransomware on vulnerable servers. The attacks were discovered by Marcus Hutchins, a security researcher from MalwareTechBlog who revealed in a series of tweets on Sunday that he left honeypots on his Exchange servers which lured in attackers who were attempting to running a script on his server.
The MalwareTechBlog tweeted, “Someone just ran this script on all vulnerable Exchange servers via ProxyLogon vulnerability. It claims to be BlackKingdom “Ransomware”, but it doesn’t appear to encrypt files, just drops a ransom not to every directory.”