{
	"id": "3b5b2a5f-b96d-4a95-97ea-f42a7a186df6",
	"created_at": "2026-04-06T00:21:36.079836Z",
	"updated_at": "2026-04-10T03:20:25.120005Z",
	"deleted_at": null,
	"sha1_hash": "303dad178dc19dc8803617fc3e0ea3b03299c234",
	"title": "Black Kingdom ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2777083,
	"plain_text": "Black Kingdom ransomware\r\nBy Marc Rivero\r\nPublished: 2021-06-17 · Archived: 2026-04-05 17:20:09 UTC\r\nBlack Kingdom ransomware appeared on the scene back in 2019, but we observed some activity again in 2021.\r\nThe ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065).\r\nThe complexity and sophistication of the Black Kingdom family cannot bear a comparison with other\r\nRansomware-as-a-Service (RaaS) or Big Game Hunting (BGH) families. The ransomware is coded in Python and\r\ncompiled to an executable using PyInstaller; it supports two encryption modes: one generated dynamically and\r\none using a hardcoded key. Code analysis revealed an amateurish development cycle and a possibility to recover\r\nfiles encrypted with Black Kingdom with the help of the hardcoded key. The industry already provided a script to\r\nrecover encrypted files in case they were encrypted with the embedded key.\r\nBackground\r\nThe use of a ransomware family dubbed Black Kingdom in a campaign that exploited the CVE-2021-27065\r\nMicrosoft Exchange vulnerability known as ProxyLogon was publicly reported at the end of March.\r\nAround the same time, we published a story on another ransomware family used by the attackers after\r\nsuccessfully exploiting vulnerabilities in Microsoft Exchange Server. The ransomware family was DearCry.\r\nAnalysis of Black Kingdom revealed that, compared to others, it is an amateurish implementation with several\r\nmistakes and a critical encryption flaw that could allow decrypting the files due to the use of a hardcoded key.\r\nBlack Kingdom is not a new player: it was observed in action following other vulnerability exploitations in 2020,\r\nsuch as CVE-2019-11510.\r\nDate CVE Product affected\r\nJune 2020 CVE-2019-11510 Pulse Secure\r\nMarch\r\n2021\r\nCVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065Microsoft Exchange\r\nServer\r\nTechnical analysis\r\nDelivery methods\r\nBlack Kingdom’s past activity indicates that ransomware was used in larger vulnerability exploitations campaigns\r\nrelated to Pulse Secure or Microsoft Exchange. Public reports indicated that the adversary behind the campaign,\r\nafter successfully exploiting the vulnerability, installed a webshell in the compromised system. The webshell\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 1 of 14\n\nenabled the attacker to execute arbitrary commands, such as a PowerShell script for downloading and running the\r\nBlack Kingdom executable.\r\nSleep parameters\r\nThe ransomware can be executed without parameters and will start to encrypt the system, however, it is possible\r\nto to run Black Kingdom with a number value, which it will interpret as the number of seconds to wait before\r\nstarting encryption.\r\n‘Sleep’ parameter used as an argument\r\nRansomware is written in Python\r\nBlack Kingdom is coded in Python and compiled to an executable using PyInstaller. While analyzing the code\r\nstatically, we found that most of the ransomware logic was coded into a file named 0xfff.py. The ransomware is\r\nwritten in Python 3.7.\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 2 of 14\n\nBlack Kingdom is coded in Python\r\nExcluded directories\r\nThe adversary behind Black Kingdom specified certain folders to be excluded from encryption. The purpose is to\r\navoid breaking the system during encryption. The list of excluded folders is available in the code:\r\nWindows,\r\nProgramData,\r\nProgram Files,\r\nProgram Files (x86),\r\nAppData/Roaming,\r\nAppData/LocalLow,\r\nAppData/Local.\r\nThe code that implements this functionality demonstrates how amateurishly Black Kingdom is written. The\r\ndevelopers failed to use OS environments or regex to avoid repeating the code twice.\r\nPowerShell command for process termination and history deletion\r\nPrior to file encryption, Black Kingdom uses PowerShell to try to stop all processes in the system that contain\r\n“sql” in the name with the following command:\r\nGet-Service*sql*|Stop-Service-Force2\u003e$null\r\nOnce done, Black Kingdom will delete the PowerShell history in the system.\r\nPowerShell commands run by Black Kingdom\r\nCombined with a cleanup of system logs, this supports the theory that the attackers try to remain hidden in the\r\nsystem by removing all traces of their activity.\r\nEncryption process\r\nThe static analysis of Black Kingdom shows how it generates an AES-256 key based on the following algorithm.\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 3 of 14\n\nThe pseudo-algorithm used by Black Kingdom\r\nThe malware generates a 64-character pseudo-random string. It then takes the MD5 hash of the string and uses it\r\nas the key for AES-256 encryption.\r\nThe code contains credentials for sending the generated key to the third-party service hxxp://mega.io. If the\r\nconnection is unsuccessful, the Black Kingdom encrypts the data with a hardcoded key available in the code.\r\nBelow is an example of a successful connection with hxxp://mega.io.\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 4 of 14\n\nConnection established with mega.io\r\n The credentials for mega.io are hardcoded in base64 and used for connecting as shown below.\r\nHardcoded credentials\r\nThe file sent to Mega contained the following data.\r\nParameter Description:\r\nID: Generated ID for user identification\r\nKey: Generated user key\r\nUser: Username in the infected system\r\nDomain: Domain name to which the infected user belongs\r\nBlack Kingdom will encrypt a single file if it is passed as a parameter with the key to encrypt it. This could allow\r\nthe attacker to encrypt one file instead of encrypting the entire system.\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 5 of 14\n\nFunction for encrypting a single file\r\nIf no arguments are used, the ransomware will start to enumerate files in the system and then encrypt these with a\r\nten-threaded process. It performs the following basic operations:\r\n1. 1 Read the file,\r\n2. 2 Overwrite it with an encrypted version,\r\n3. 3 Rename the file.\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 6 of 14\n\nThe function used for encrypting the system\r\nBlack Kingdom allows reading a file in the same directory called target.txt, which will be used by the ransomware\r\nto recursively collect files for the collected directories specified in that file and then encrypt them. Black Kingdom\r\nwill also enumerate various drive letters and encrypt them. A rescue note will be delivered for each encrypted\r\ndirectory.\r\nRescue note used by the ransomware\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 7 of 14\n\nEncryption mistakes\r\nAmateur ransomware developers often end up making mistakes that can help decryption, e.g., poor\r\nimplementation of the encryption key, or, conversely, make recovery impossible even after the victim pays for a\r\nvalid decryptor. Black Kingdom will try to upload the generated key to Mega, and if this fails, use a hardcoded\r\nkey to encrypt the files. If the files have been encrypted and the system has not been able to make a connection to\r\nMega, it will be possible to recover the files using the hardcoded keys.\r\nHardcoded key in Base64\r\nWhile analyzing the code statically, we examined the author’s implementation of file encryption and found several\r\nmistakes that could affect victims directly. During the encryption process, Black Kingdom does not check whether\r\nthe file is already encrypted or not. Other popular ransomware families normally add a specific extension or a\r\nmarker to all encrypted files. However, if the system has been infected by Black Kingdom twice, files in the\r\nsystem will be encrypted twice, too, which may prevent recovery with a valid encryption key.\r\nSystem log cleanup\r\nA feature of Black Kingdom is the ability to clean up system logs with a single Python function.\r\nThe function that cleans up system logs\r\nThis operation will result in Application, Security, and System event viewer logs being deleted. The purpose is to\r\nremove any history of ransomware activity, exploitation, and privilege escalation.\r\nRansomware note\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 8 of 14\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files,\r\ndisabling the mouse and keyboard with pyHook as it does so.\r\nFunction to hook the mouse and keyboard\r\nWritten in English, the note contains several mistakes. All Black Kingdom notes contain the same Bitcoin address;\r\nsets it apart from other ransomware families, which provide a unique address to each victim.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n***************************\r\n| We Are Back            ?\r\n***************************\r\nWe hacked your (( Network )), and now all files, documents, images,\r\ndatabases and other important data are safely encrypted using the strongest algorithms ever.\r\nYou cannot access any of your files or services .\r\nBut do not worry. You can restore everthing and get back business very soon ( depends on your actions )\r\nbefore I tell how you can restore your data, you have to know certain things :\r\nWe have downloaded most of your data ( especially important data ) , and if you don't  contact us within\r\n2 days, your data will be released to the public.\r\nTo see what happens to those who didn't contact us, just google : (  Blackkingdom Ransomware  )\r\n***************************\r\n| What  guarantees        ?\r\n***************************\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 9 of 14\n\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\n32\r\n33\r\n34\r\n35\r\n36\r\n37\r\n38\r\n39\r\n40\r\nWe understand your stress and anxiety. So you have a free opportunity to test our service by instantly\r\ndecrypting one or two files for free\r\njust send the files you want to decrypt to (support_blackkingdom2@protonmail.com\r\n***************************************************\r\n| How to contact us and recover all of your files  ?\r\n***************************************************\r\nThe only way to recover your files and protect from data leaks, is to purchase a unique private key for\r\nyou that we only posses .\r\n[ + ] Instructions:\r\n1- Send the decrypt_file.txt file to the following email ===\u003e support_blackkingdom2@protonmail.com\r\n2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\r\n[ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\r\n3- confirm your payment by sending the transfer url to our email address\r\n4- After you submit the payment, the data will be removed from our servers, and the decoder will be\r\ngiven to you,\r\nso that you can recover all your files.\r\n## Note ##\r\nDear system administrators, do not think you can handle it on your own. Notify your supervisors as\r\nsoon as possible.\r\nBy hiding the truth and not communicating with us, what happened will be published on social media\r\nand yet in news websites.\r\nYour ID ==\u003e\r\nFDHJ91CUSzXTquLpqAnP\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 10 of 14\n\n41\r\n42\r\n43\r\n44\r\n45\r\n46\r\n47\r\n48\r\n49\r\nThe associated Bitcoin address is currently showing just two transactions.\r\nTransactions made to a Bitcoin account\r\nCode analysis\r\nAfter decompiling the Python code, we found that the code base for Black Kingdom has its origins in an open-source ransomware builder available on Github.\r\nThe adversary behind Black Kingdom adapted parts of the code, adding features that were not originally presented\r\nin the builder, such as the hardcoded key or communication with the mega.io domain.\r\nVictims\r\nBased on our telemetry we could see only a few hits by Black Kingdom in Italy and Japan.\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 11 of 14\n\nAttribution\r\nWe could not attribute Black Kingdom to any known adversary in our case analysis. Its involvement in the\r\nMicrosoft Exchange exploitation campaign suggests opportunism, rather than a resurgence in activity from this\r\nransomware family.\r\nFor more information please contact: financialintel@kaspersky.com\r\nAppendix I – Indicators of Compromise\r\nNote: The indicators in this section were valid at the time of publication. Any future changes will be directly\r\nupdated in the corresponding .ioc file.\r\nFile Hashes\r\nb9dbdf11da3630f464b8daace88e11c374a642e5082850e9f10a1b09d69ff04f\r\nc4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908\r\na387c3c5776ee1b61018eeb3408fa7fa7490915146078d65b95621315e8b4287\r\n815d7f9d732c4d1a70cec05433b8d4de75cba1ca9caabbbe4b8cde3f176cc670\r\n910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\r\n866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\r\nc25a5c14269c990c94a4a20443c4eb266318200e4d7927c163e0eaec4ede780a\r\nDomain:\r\nhxxp://yuuuuu44[.]com/vpn-service/$(f1)/crunchyroll-vpn\r\nYARA rules:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\nimport \"hash\"\r\nimport \"pe\"\r\nrule ransomware_blackkingdom {\r\n   meta:\r\n      description = \"Rule to detect Black Kingdom ransomware\"\r\n      author = \"Kaspersky Lab\"\r\n      copyright = \"Kaspersky Lab\"\r\n      distribution = \"DISTRIBUTION IS FORBIDDEN. DO NOT UPLOAD TO ANY\r\nMULTISCANNER OR SHARE ON ANY THREAT INTEL PLATFORM\"\r\n      version = \"1.0\"\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 12 of 14\n\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n      last_modified = \"2021-05-02\"\r\n      hash = \"866b1f5c5edd9f01c5ba84d02e94ae7c1f9b2196af380eed1917e8fc21acbbdc\"\r\n      hash = \"910fbfa8ef4ad7183c1b5bdd3c9fd1380e617ca0042b428873c48f71ddc857db\"\r\n    condition:\r\n        hash.sha256(pe.rich_signature.clear_data) ==\r\n\"0e7d0db29c7247ae97591751d3b6c0728aed0ec1b1f853b25fc84e75ae12b7b8\"\r\n}\r\nAppendix II – MITRE ATT\u0026CK Mapping\r\nThis table contains all TTPs identified during the analysis of the activity described in this report.\r\nTactic Technique. Technique Name.        \r\nExecution\r\nT1047 Windows Management Instrumentation\r\nT1059 Command and Scripting Interpreter\r\nT1106 Native API\r\nPersistence\r\nT1574.002 DLL Side-Loading\r\nT1546.011 Application Shimming\r\nT1547.001 Registry Run Keys / Startup Folder\r\nPrivilege Escalation\r\nT1055 Process Injection\r\nT1574.002 DLL Side-Loading\r\nT1546.011 Application Shimming\r\nT1134 Access Token Manipulation\r\nT1547.001 Registry Run Keys / Startup Folder\r\nDefense Evasion T1562.001 Disable or Modify Tools\r\nT1140 Deobfuscate/Decode Files or Information\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 13 of 14\n\nT1497 Virtualization/Sandbox Evasion\r\nT1027 Obfuscated Files or Information\r\nT1574.002 DLL Side-Loading\r\nT1036 Masquerading\r\nT1134 Access Token Manipulation\r\nT1055 Process Injection\r\nCredential Access T1056 Input Capture\r\nDiscovery\r\nT1083 File and Directory Discovery\r\nT1082 System Information Discovery\r\nT1497 Virtualization/Sandbox Evasion\r\nT1012 Query Registry\r\nT1518.001 Security Software Discovery\r\nT1057 Process Discovery\r\nT1018 Remote System Discovery\r\nT1016 System Network Configuration Discovery\r\nCollection\r\nT1560 Archive Collected Data\r\nT1005 Data from Local System\r\nT1114 Email Collection\r\nT1056 Input Capture\r\nCommand and Control T1573 Encrypted Channel\r\nImpact T1486 Data Encrypted for Impact\r\nSource: https://securelist.com/black-kingdom-ransomware/102873/\r\nhttps://securelist.com/black-kingdom-ransomware/102873/\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/black-kingdom-ransomware/102873/"
	],
	"report_names": [
		"102873"
	],
	"threat_actors": [],
	"ts_created_at": 1775434896,
	"ts_updated_at": 1775791225,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/303dad178dc19dc8803617fc3e0ea3b03299c234.pdf",
		"text": "https://archive.orkl.eu/303dad178dc19dc8803617fc3e0ea3b03299c234.txt",
		"img": "https://archive.orkl.eu/303dad178dc19dc8803617fc3e0ea3b03299c234.jpg"
	}
}