Black Kingdom Ransomware Targets Pulse Secure VPN

What is Black Kingdom Ransomware

Black Kingdom Ransomware is most recently reported malware. It is released in wild to target and exploit vulnerabilities of Microsoft Exchange Server. It is also known as DEMON Ransomware or DemonWare Ransomware. It uses MS Exchange Server with loopholes to sneak through as initial entry point. If reports are to be believed as of now the hackers behind Black Kingdom Ransomware are using specific signature as black_kingdom, DEMON, or .death. It is found that this ransomware attack is mostly reported in Big Companies that used unpatched version of Pulse Secure VPN. Although this vulnerability reported in MS Exchange server was reported and patched in April 2019 updates but some of the Companies and Enterprises delayed and took pretty long to update their software. Eventually their system were vulnerable to Black Kingdom Ransomware attack.

The ransomware locks and enciphers files and then will demand a huge amount of Ransom as payment for exchange of Decryption Tool. However there is no certainty that victims will get decryption tool even after the ransom is paid. So the idea to pay the ransom for hostage files should be avoided. Initially, the hackers of Black Kingdom Ransomware were utilizing and exploited Pulse Secure VPN vulnerabilities but now they have changed their game plan and strategy by using Python Scripting for execution of package such as py2exe for Python 3. These are used for building console executables and Windows executable files. So once the Windows machine is targeted this strategy would be used for further pushing up the Ransomware attack.

Related News : How To Remove GoldFinder Malware

Once the system is compromised the victims will soon get ransom note which notifies them about Ransomware attack. Also the targeted files get appended and renamed with the .DEMON extension. For example file with the name as image.jpg will get renamed to image.jpg.DEMON and will get encrypted. The ransom note will be displayed as a Window pop-up in full screen and in form of text message as “;README.txt” which gets dropped in every folder of the PC.The ransom note is the confirmation that states to victims that their system is targeted by GAmmA Group and it further assures that the locked and encrypted files can be decrypted and data can be recovered after payment of the ransom. A demand of Ransom worth 0.052 BTC (Bitcoin cryptocurrency) is required to be made by the victims to hackers. This is nearly equivalent to US $500 which is subject to exchange value and applicable rate. The email id is provided in the ransom note and is stated that once victims have made up their mind to pay the ransom they need to mail and inform hackers which is provided in the note itself. Also the composed mail should have the message clearly with IP Address/host name and transaction id

Related Articles


Please enter your comment!
Please enter your name here

Stay Connected


Latest Articles