Skip to Main Content


Black Kingdom Returns to Exploit Zero-Day Vulnerabilities in Unpatched Microsoft Exchange Servers



By Steve Ramey

You know what’s fun about zero-day exploits? Nothing, especially when ransomware is involved.

Earlier this month, Microsoft released a statement notifying the public of a zero-day exploit that affected its on-premises Exchange Servers, versions 2013 through 2019. Within a week, Arete incident responders spoke to approximately 100 affected companies — small- and medium-sized companies that had no reason to be on the target list of the Microsoft-coined hacking group Hafnium.

The worst part about this zero-day announcement was that sometime around March 10, the threat group published the proof-of-concept (PoC) code to GitHub. The irony: Microsoft owns GitHub; GitHub hosted the PoC code.

Since that publication, the security community has been speculating on a second wave of attacks involving this exploit. A wave that would be worse than the first. A wave that would be linked to all sorts of corporate business interruptions from the likes of data exfiltration and ransomware.

How right was the speculation? Basically, the community #nailedit.


On March 12, reported that a hacking group was deploying the ransomware variant,  DEARCRY!, which was affecting unpatched Microsoft Exchange Servers.

Now, Arete has identified a second variant — Black Kingdom — that is also exploiting unpatched Microsoft Exchange Servers. The Black Kingdom variant made media headlines when it briefly surfaced and started to exploit the Pulse VPN zero-day in the early summer months of 2020. After, the group quietly disappeared … until this week.


After the Black Kingdom group gains access to a network, they will perform some reconnaissance and start their encryption, leaving behind a fitting ransom note entitled decrypt_file.txt to announce their return.

Black Kingdom’s ransom note is one of the longest notes left behind by ransomware groups. It provides explicit instructions on how to contact them, the ransom amount, the Bitcoin wallet ID, and a message stating that they exfiltrated data from the network. The note also states that refusal to pay would lead them to publish the attack and stolen files on social media.


The Microsoft Exchange vulnerability is widespread and, if like many other previously reported vulnerabilities, may not get patched automatically or quickly enough to prevent ransomware groups and any other malicious actors from gaining unauthorized access to your network.

Follow these recommended steps protect your business and systems from unauthorized access:

    1. Immediately patch the Exchange Server. If the system is not or cannot be patched, disable Outlook for Web Access (OWA). If you cannot disable OWA, remove the Exchange Server from the internet.
      • Prior to running the tool, create a backup of the Exchange Server in its current state.
      • Microsoft released a One-Click Mitigation tool to patch, upgrade, and scan for malicious activity. You can find the tool on the company’s Security Center blog.
      • Disable OWA according to the Microsoft guidelines. This may cause users to not have access to email.
      • If you cannot patch or disable OWA, remove the system from the internet by disconnecting the network cable or powering the system down. This action will cause significant disruption and prevent users from receiving emails in certain configurations.
    2. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) issued a mitigation alert. Please read the article.
      • Block IP addresses at the firewall.
      • Enable geofencing if your organization does not conduct business outside of the United States.
    3. Change passwords for all Windows-based user accounts.
      • Start with the most privileged domain administrator and service accounts, then work towards the least privileged user accounts. Also include the local administrator password.
    4. Preserve any firewall, web application firewall, or VPN logs.
    5. Deploy an Enterprise Detection and Response (EDR) tool throughout the environment to detect any unauthorized activity.

If you suspect any unauthorized access to your Microsoft Exchange Server or network, immediately contact us at [email protected].