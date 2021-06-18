A ransomware campaign that has rocketed past users of Microsoft e-mail systems is said to be nearly finished not by the presence of updates, but by mistakes cited as “amateur” and committed by those responsible for the plague. An analysis showed that, when performing its actions, the Black Kingdom malware kept certain folders out, in addition to relying on encryption keys in its own code, thus allowing those affected to retrieve their files directly.

The conclusions appear in a Kaspersky report and even sound strange for a plague that has been circulating since 2019, despite its campaign having only intensified in March of this year. Experts are adamant that the malware doesn’t look as well-developed as it should, involving other basic errors that would allow quick action to deter the scams, without the criminals getting the financial return that is the central objective of these attacks.

By infecting an unprotected Exchange server, through a known and already fixed flaw that allowed remote execution of malicious code, Black Kingdom moved laterally while raising possible blocking data on the computers. At the same time, however, he left out important operating system folders, such as ProgramData, Program Files and System32, in order not to “break” the platform in the process.

After this process, data locking was initiated, while the unique encryption key was hosted on the Mega free service, a connection easily detectable by administrators and normally blocked by security systems. In these cases, Black Kingdom used a unique alternative, which not only was stored with the locked files, but also became popular among specialists, precisely because it allows the unlocking of data without the need to pay ransoms.

According to Kaspersky, other basic mistakes were made by criminals, such as using a single cryptocurrency wallet for every attack performed, instead of an address being created for each scam. This made it easy to trace the funds back to the original pest developers, as well as understand the level of reach of the contaminations that, in the end, did not have the expected result — just two transactions, receiving the equivalent of about $6 .2 thousand, as well as the withdrawal of this amount, were registered.

Proof of this is that, just months after the wave of compromise attempts involving Exchange servers, Black Kingdom is no longer used in active campaigns. On the other hand, Kaspersky warns that, as it has done before, ransomware can always return in a new version, with the problems fixed and functioning more sophisticated.

Therefore, the main security recommendation is to update vulnerable systems so that discovered openings cannot be used by attackers. The use of threat monitoring and analysis systems is also an indication, as is the performance of constant backups to minimize damage in the event of a successful scam.