Posted on Leave a comment

“LOCKFILE” Ransomware Gang Exploiting PetitPotam Vulnerability To Takeover Windows Domains.

A new ransomware gang named LockFile targets Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. The popular security expert Kevin Beaumont was one of the first researchers to report that the LockFile operators are using the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains.

Symantec security firm said that the “LockFile” variant was first spotted on July 20 in an attack on a US financial services organization and has subsequently targeted at least ten corporate victims around the world up to August 20 with most of its victims based in the U.S. and Asia. The companies attacked include those in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.

“The encrypted shellcode, however, very likely activates the efspotato.exe file that exploits PetitPotam” – Symantec

As per US Cybersecurity and Infrastructure Security Agency (CISA), “Malicious cyber actors are actively exploiting the following  vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urged organisations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021,which remediates all three ProxyShell vulnerabilities to protect against these kind of attacks.

Indications are that the attackers gain access to victims’ networks via Microsoft Exchange Servers, and then use the incompletely patched PetitPotam vulnerability( CVE-2021-36942 ) to gain access to the domain controller, and then spread across the network. It is not clear how the attackers gain initial access to the Microsoft Exchange Servers. After exploiting an exchange server, the threat actors dropped web shells that could be used to upload other programs and execute them. and also deploy their file-encrypting payloads to connected workstations, according to a report published by security firm Symantec.

What is known is that the threat actors behind LockFile is trying to mimic similar designed ransom note that is used by the LockBit gang and reference the Conti group in the email address they use for communications.

Ransom note from LockFile ransomware

To prevent the LockFile gang from gaining access to their systems, companies are advised to apply patches for the PetitPotam and ProxyShell vulnerabilities.

The security researcher says that although LockFile appears to be a new ransomware variant, it could have links to “previously seen or retired threats.”

Indicator of Compromise:

File hashesDescription
ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291active_desktop_render.dll
cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915autoupdate.exe
36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9autologin.sys
5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0fautologin.exe
1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75autologin.dll
2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128aautoupdate.exe
7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fdefspotato.exe
c020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153active_desktop_render.dll
a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0autoupdate.exe
368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690autologin.sys
d030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3aautoupdate.exe
a0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8autoupdate.exe

IP address:

209.14.0.234

Posted by: Ramya Natarajan ,Currently pursuing M.Sc. Cyber forensics and Information security in University of Madras. I’m a dedicated and hard-working person with lots of interest in Information security field. My hobbies are updating myself in the field of information security, Surfing internet and reading books.

Leave a Reply