Microsoft Exchange server being hacked by the new LockFile ransomware

A new ransomware gang, known as LockFile, uses a recently published ProxyShell vulnerability to encrypt a Windows domain after hacking into a Microsoft Exchange server.

ProxyShell is the name of an attack consisting of three chained Microsoft Exchange vulnerabilities that lead to unauthenticated remote code execution.

Three vulnerabilities were discovered by the Devcore Principal Security Researcher. Orange TsaiChained them to take over the Microsoft Exchange server in April Pwn2Own2021 Hacking Contest..

Microsoft fully patched these vulnerabilities in May 2021, but recently more technical details have been disclosed, allowing security researchers and threat actors to: Reproduce the exploit..

As reported by Bleeping Computer last week, this is actively scanned by threat actors. Hacking a Microsoft Exchange server using a ProxyShell vulnerability..

After exploiting the Exchange server, an attacker dropped a web shell that could be used to upload and run other programs.

At that time, a vulnerability researcher in the NCC group Rich Warren He told Bleeping Computer that a web shell was being used to install the .NET backdoor that was downloading the harmless payload at the time.

Since then, security researchers Kevin Beaumont Report A new ransomware operation called LockFile is with Microsoft Exchange Proxy Shell Windows Petit Potam Vulnerability Take over the Windows domain and encrypt the device.

Upon breaking into the network, an attacker first uses a Proxy Shell vulnerability to access an on-premises Microsoft Exchange server.When they build a foothold, Symantec LockFile gang uses a vulnerability in Petit Potam Takes over the domain controller, the Windows domain.

From there, it’s easy to deploy ransomware throughout your network.

What we know about LockFile ransomware

Little is known about the new LockFile ransomware operation at this time.

When first seen in July, the ransom note was “LOCKFILE-README.hta‘But there was no specific brand, as shown below.

Old LockFile Ransom Note
Old LockFile Ransom Note

Starting last week, Bleeping Computer began receiving ransomware gang reports using a branded ransom note indicating that it was called a “Lock File,” as shown below.

These ransom notes use the following naming format: ‘[victim_name]-LOCKFILE-README.hta‘And urged the victims to contact them via Tox or email to negotiate the ransom.The current email address used in the operation is, This seems to be a reference to Conti ransomware operations.


The color scheme of the ransom is similar, but I don’t know if the communication method and wording are the same.

Of particular interest is the color scheme and layout of the ransom notes, which is very similar to LockBit ransomware, but it doesn’t seem to matter.

When encrypting files, ransomware .lockfile The extension of the name of the encrypted file.

Bleeping Computer and ransomware experts yesterday afternoon Michael Gillespie An analysis of the July version of LockFile revealed that it was a noisy ransomware that consumed a lot of system resources and caused the computer to freeze temporarily.

Apply the patch now!

The LockFile operation uses both the Microsoft Exchange Proxy Shell vulnerability and the Windows PetitPotam NTLM relay vulnerability, so Windows administrators must install the latest updates.

Regarding the ProxyShell vulnerability, Latest Microsoft Exchange Cumulative Update Patch the vulnerability.

The Windows PetitPotam attack is a bit more complicated because Microsoft’s security update is incomplete and it hasn’t patched all the vulnerability vectors.

To patch the PetitPotam attack Unofficial patch from 0patch Block this NTLM relay attack vector or Apply NETSHRPC filter Blocks access to vulnerable features of the MS-EFSRPC API.

According to Beaumont, you can run the following Azure Sentinel query to see if your Microsoft Exchange server is being scanned for Proxy Shell vulnerabilities.

| where csUriStem == "/autodiscover/autodiscover.json"
| where csUriQuery has "PowerShell" | where csMethod == "POST"

All organizations are strongly encouraged to patch and create an offline backup of their Exchange server as soon as possible.

Microsoft Exchange server being hacked by the new LockFile ransomware

Source link Microsoft Exchange server being hacked by the new LockFile ransomware

Related Articles

Back to top button