LockFile Ransomware Exploit ProxyShell Vulnerabilities in Microsoft Exchange Servers

The Microsoft exchange servers were hacked by a very new ransomware gang that is known as LockFile. According to the cyber security expert, this ransomware gang has appeared in July 2021.

However, the main motive of this ransomware is to encrypt Windows domains soon after hacking into Microsoft Exchange servers, and this they do with the help of ProxyShell vulnerabilities that has been revealed recently.

As we said above that the threat actors conduct this operation while using the ProxyShell vulnerabilities, well the hackers generally breach the targets with unpatched, on-premises Microsoft Exchange servers, and which are being followed by a PetitPotam NTLM relay attack as it seizes the whole control of the domain.

Vulnerabilities Discovered Earlier

After investigating the attack, the experts Devcore Principal Security Researcher Orange Tsai have found three vulnerabilities, and later he attached them all together so that he can take over a Microsoft Exchange server in April’s Pwn2Own 2021 hacking competition.

• CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)
• CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)
• CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

What Did We Know About the LockFile Ransomware?

The security analysts are trying their best to know all the key details reading this particular attack. However, there are many findings that are yet to disclose, but in July the experts first noted that the ransom note was named ‘LOCKFILE-README.hta’ but the interesting fact is that it does not have any special branding.

The attackers are using branded ransom notes that are designating that they were called ‘LockFile. Moreover, all these ransom notes apply a naming format of ‘[victim_name]-LOCKFILE-README.hta’ and later it advised the victim to communicate with them through Tox or email if they want to negotiate the ransom.

The RansomNote is An HTML Application

The researchers stated that the function at 0x7f00 initially generates the HTA ransom note, such as, ‘LOCKFILE-README-[hostname]-[id].hta’ in the root of the drive. 

After the investigation, the experts noted that instead of dropping a note in TXT format, the LockFile formats its ransom note as an HTML Application (HTA) file. The most important point is that the HTA ransom note that was being used by LockFile matches the one that is used by LockBit 2.0 ransomware.

Patch now!

After knowing all the details its been clear that this ransomware gang uses both the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability.

According to the researchers, it’s quite important that Windows administrators must install the latest updates. Well in the case of ProxyShell vulnerabilities, the users can install the most advanced Microsoft Exchange cumulative updates as it will help to patch the vulnerability.

This type of ransomware attack is quite difficult to patch, but the experts stated that they are trying their best to circumvent this attack, as soon as possible.

Also Read: Ransomware Attack Response and Mitigation Checklist