Microsoft has discovered web shells deployed by Black Kingdom operators on approximately 1,500 Exchange servers vulnerable to ProxyLogon attacks. Black Kingdom is the second confirmed ransomware that targets unpatched Microsoft Exchange servers with proxyLogon exploits. The current ransomware executable is a Python script compiled as a Windows executable. The ransom note also warned victims that data was stolen before their devices were encrypted and would be publicly released if a ransom is not paid. Microsoft revealed on Monday that roughly 92% of all on-premises Exchange servers affected by the attacks are now patched and safe from ongoing attacks.
Source: https://www.bleepingcomputer.com/news/security/microsoft-black-kingdom-ransomware-group-hacked-15k-exchange-servers/