LockFile Ransomware Targets Microsoft Exchange Servers
Security researchers have discovered a new family of ransomware called LockFile that appears to have been used to attack Microsoft Exchange servers in the United States and Asia since at least July 20.
Symantec said during LockFile’s Aug. 20 revelation that it found evidence of ransomware targeting at least 10 organizations in a single month. The security company said LockFile operators used an attack called PetitPotam, which targets a domain controller to gain control of an entire network, but it was unsure how the attackers got access to the servers. .
DoublePulsar’s Kevin Beaumont did it. He reported that his personal honeypot project – an intentionally exposed server that can be used to learn more about hacking attempts – was targeted by LockFile operators on August 13-16. These attacks revealed that LockFile exploited a series of vulnerabilities in Microsoft. Exchange known collectively as ProxyShell.
ProxyShell is one of three collections of vulnerabilities affecting Microsoft Exchange discovered, exploited and disclosed by Orange Tsai, Senior Security Researcher at Devcore. The attack surfaces were featured during the Pwn2Own hacking contest in April, and Tsai also shared more information about them during a talk at the Black Hat 2021 conference on August 5.
Microsoft fixed these vulnerabilities in May, but BleepingComputer reported that researchers and hackers were able to recreate the exploit, which is now used to activate LockFile attacks. Ransomware operators can also target Exchange servers that have not received the latest updates and therefore remain vulnerable to the original ProxyShell attacks.
Beaumont said there were still “hundreds of directly exploitable and Internet accessible systems with SSL * .gov certificate hostnames” in the United States as of August 21 and cited the TechTarget report that ” tens of thousands of Exchange servers are still vulnerable to ProxyLogon and ProxyShell. “Some of them are likely to be honeypots, according to the report, but they probably aren’t.
The U.S. Agency for Cybersecurity and Infrastructure Security said it “strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft’s security update from May 2021, which fixes the three vulnerabilities of ProxyShell, to protect against these attacks “. Microsoft also shared methods to mitigate the PetitPotam attack.
LockFile itself encrypts all files on a target system, renames them with the “.lockfile” extension, then displays a note telling victims to contact the ransomware operators via email to negotiate the cost of recovering their files. . This note would resemble the one used by the LockBit ransomware group and would also include a reference to the Conti Gang.