Black Kingdom ransomware has been recently observed exploiting a Microsoft Exchange vulnerability. The complexity and sophistication of the Black Kingdom family cannot bear a comparison with other Ransomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and compiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover files encrypted with the Black Kingdom with the help of the hardcoded key. The industry already provided a script to recover encrypted files in case they were encrypted with the embedded key.
Microsoft Exchange Server could allow a remote attacker to execute arbitrary code on the system. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system with the privileges of the victim.