How to Recover Exchange Server after Black KingDom Ransomware Attack?

Black KingDom is a ransomware variant, which targets on-premises Exchange servers that are not updated and are exposed to ProxyLogon vulnerabilities. In this post, we discuss about the Black KingDom ransomware, ways to safeguard your Exchange server against such malicious attacks, and methods to recover Exchange server after such attacks.

Black KingDom Ransomware – How it Works 

Black KingDom ransomware, also known as DemonWare or GAmmAWare, was first detected in February 2020. Earlier, it was used to attack corporate networks using Pulse VPN. The threat actors are now using the ransomware to target and attack the vulnerable Exchange servers.

Black KingDom ransomware encrypts the files on the compromised Exchange servers and adds a .DEMON extension to the encrypted filenames with a ransom note named decrypt_file.TxT or ReadMe.txt. The ransom note demands either 0.052 or 0.19 Bitcoin (equivalent to $500/ $10,000) as payment for decryption key that (according to the attackers) can help victims recover their data.

The Bitcoin address 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT has received a total of 0.17300000 BTC ($9,154.35) on March 18. However, you should never pay or meet any ransom demands, as users often do not receive the promised decryption key or tool.

Steps to Eliminate and Prevent Black KingDom Ransomware Attack

You can eliminate the Black KingDom ransomware from the Exchange server by following the methods discussed below and avoid further encryption. However, removing Black KingDom ransomware may not restore the affected data or files already encrypted by ransomware.  

Step 1: Restore from Backup

If the server is infected by the Black KingDom or any other ransomware, you can set up a new server and then restore the mailboxes from the backup. But if the backup isn’t available or obsolete, the only viable option is to use an Exchange repair software, such as Stellar Repair for Exchange.

The software can help you extract mailboxes from non-encrypted Exchange databases on the affected server and export them directly to the new Exchange server. But if the ransomware encrypts the database, the tool may not work.

Step 2: Use Exchange On-Premises Mitigation Tool

Before using the Exchange repair software or manually extracting the mailboxes, you must run the Exchange On-Premises Mitigation Tool (EOMT) to check and eliminate the ransomware or any other malware from the vulnerable server.

The EOMT tool helps you check if your Exchange system is vulnerable. It addresses CVE-2021-26855 vulnerability. It is currently the most effective way to eliminate web shells and malware, including Black KingDom ransomware, deployed by the threat actors.

The steps to run EOMT tool are as follows:

• After downloading the EOMT tool, extract the files. Copy the Security folder from the extracted files that contain the EOMT PowerShell script and save it at your desired location. We saved it in the Documents folder (see the screenshot below).

• Now open PowerShell as administrator and then enter the following command to navigate to Security/src folder location. In our case, it is:

cd C:\Users\Administrator\Documents\Security\src

• Now enter the following command in PowerShell to run the EOMT.ps1 script and check if your Exchange server is vulnerable and compromised:

.\EOMT.ps1

The script checks the server vulnerability by installing the IIS URL rewrite tool. It then runs the Microsoft Safety Scanner or MSERT in quick scan mode to find and remove threats, such as web shells and malware from the server.

In case you suspect or find threats in Quick Scan, it is strongly suggested that you run MSERT in Full Scan mode. Full Scan will take longer but will thoroughly scan the server and eliminate all possible threats from the server.

To run MSERT in Full Scan mode, use the following PowerShell command:

.\EOMT.ps1 -RunFullScan –DoNotRunMitigation

Step 3: Update the Server

After running the EOMT, update the Exchange server with March 2021 Exchange Security Updates. Once updated, you can use either the Exchange Admin center (EAC) or Exchange Management Shell (EMS) cmdlets to export mailboxes to PST from unaffected databases. However, this works only if the server did not crash or break after the attack.

Step 4: Restore Mailboxes on New Exchange Server

In case the Exchange server broke or crashed due to Hafnium or Black KingDom ransomware attack, you can install an Exchange repair software to export mailboxes from the remaining unencrypted Exchange databases to the new Exchange server. The software auto maps the mailboxes from the source Exchange database to the destination server and facilitates hassle-free recovery and migration of the mailboxes.

Using the software, you can restore the mailboxes on the new server more quickly and reduce downtime significantly.

Conclusion

Black KingDom is another ransomware that exploits ProxyLogon vulnerabilities to get administrator access to the Exchange server. In our previous post, we discussed the Hafnium ransomware that uses ProxyLogon exploit (CVE-2021-26855 vulnerability) to access vulnerable on-premises Exchange servers and deploy web shells to infiltrate the server. These web shells enable the threat actors to install malware or ransomware on the server.

To prevent ransomware attacks, such as the Black KingDom or Hafnium, you should immediately patch your server by installing Microsoft’s latest Exchange updates. Also, employ effective defense and backup techniques to safeguard your Exchange server against data loss due to such malicious attacks.

Also Read: How to Recover Microsoft Exchange Server after Hafnium Attack?