A new ransomware variant, dubbed “Black Kingdom,” was observed exploiting unpatched Pulse Secure VPN software to gain initial access to enterprise networks. The vulnerability, tracked as “CVE-2019-11510,” is an arbitrary file reading vulnerability that allows an unauthenticated attacker to send a specially crafted Uniform Resource Identifier (URI). Black Kingdom was first observed in February 2020 by a security researcher who goes by the moniker “GrujaRS.” The researcher identified that Black Kingdom’s encrypted files are appended with “. DEMON” extension.
To establish persistence, Black Kingdom impersonates a legitimate scheduled task named “GoogleUpdateTaskMachineUA,” which resembles a legitimate task of Google Chrome that ends with UA, not USA, as displayed by Black Kingdom. The scheduled task runs a Base64-encoded string code in a hidden PowerShell window to fetch a script named “reverse.ps1” that is used to open a reverse shell on the compromised host. In addition, the script was found residing in the IP address of 198.13.49[.]179, which is managed by Choopa, a company that provides virtual private servers (VPS). After establishing persistence, Black Kingdom displays a ransom note that contains instructions on how to reach out to the ransomware operators. At the time of writing, it is unclear how widespread the ransomware is or what the overall impact of the event was. It is recommended that users have a reliable and tested backup that can be restored, upgrade unpatched Pulse Secure VPN, and keep the operating systems up-to-date to stop the ransomware from reaching the network. The following indicators of compromise have been identified with Black Kingdom ransomware: