Black Kingdom Ransomware

The Black Kingdom Ransomware is a file-locking Trojan that targets enterprise-grade business entities preferentially. Its attacks use encryption for locking files after infecting systems through software vulnerabilities, mainly VPN, initially. Users should install security patches when available, secure their backups, and let their anti-malware tools remove the Black Kingdom Ransomware on sight.

The Invading Kingdom Takes a Not-Quite-Private Road

Although samples suggest that the family has been active throughout 2020, a successful honeypot operation (a server imitating a 'likely victim' to entice attacks) finally confirms its existence in mid-summer. The Black Kingdom Ransomware is, unlike some of the more casual Ransomware-as-a-Service and free families, a group of Trojans that targets enterprise-grade businesses that operate globally. Its threat actor is taking advantage of poor patching habits among those business workplaces for gaining access to their systems, establishing persistence and blocking files.

The Black Kingdom Ransomware uses well-known, public vulnerabilities specific to Pulse VPN – a Virtual Private Network service currently. Although the exploits are preventable by installing appropriate security updates, many businesses avoid updating software, due to the logistics and compatibility issues sometimes involved. The Black Kingdom Ransomware masquerades as a Google Chrome scheduled task and sets up a possible reverse shell for handing control over to the attacker.

The Black Kingdom Ransomware includes several components that malware experts deem of note, even for a file-locking Trojan targeting prestigious victims. Its domains are related to cryptocurrency-mining operations, which indicates a possible second revenue source for its threat actor. The Trojan also requires a costly ransom of ten thousand USD in Bitcoins, with a ten-hour time limit. The latter makes it exceedingly clear that the hackers focus on organizations with impressive funding or valuable data that would be profitable on the black market if sold.

The Defensive Strategy for a High-Priced Server Invasion

With full understanding that its threat actors may change tacks after having their techniques publicized, users still should protect their workplaces from the lowest common denominator exploits. CVE-2019-11510 file-reading vulnerabilities are amendable as a patch from last year, and VPN software users should always be diligent about installing security patches as soon as they're available. Such precautions are even more important in scenarios like this one, which involves vulnerabilities known to the pubic and abusable by multiple attackers.

The appearance of another (see also: the 1BTC Ransomware, the Pzdc Ransomware, and other, equally-expensive campaigns) costly file-locking Trojan further underlines the raw value of a secure backup. Users backing their work up to suitably-safe locations, whether they're password-protected or physically detachable, makes for an always-reliable recovery solution for files. Although the Black Kingdom Ransomware targets multinational companies, similar countermeasures, and risks for not following them apply just as much to individual PC owners.

Anti-malware services should be active, reliable, and updated for detecting and deleting the Black Kingdom Ransomware as soon as possible. They also will not be thwarted by simpler subterfuge like fake names on scheduled Windows tasks.
The Black Kingdom Ransomware operates at the unquestionable high-end of the pool of the file-locker Trojan sector. Both its methodology and its asking price serve as come-to-earth memos. They help even the largest companies remember that they're just as much at risk from an attacker as the server of any smaller, family-owned business.