Summary: A new ransomware variant, called LockFile, is targeting the Exchange Servers with ProxyShell and ProxyLogon vulnerabilities. The threat actors are specifically exploiting a partially patched bug called PetitPotam. In this blog, we’ve discussed the LockFile ransomware in detail and mentioned the steps to safeguard Exchange Server from malicious attacks, such as LockFile.
Security researchers have found a new ransomware, known as LockFile, which is targeting organizations with ProxyShell vulnerabilities. The threat actors are using the technical details to exploit the ‘ProxyShell’ and ‘PetitPotam’ vulnerabilities and to gain access to the Domain Controller (DC) and then the entire enterprise network. According to security researcher Kevin Beaumont, these vulnerabilities are worse than the ProxyLogon, which is considered as one of the most severe vulnerabilities found in the history of MS Exchange.
What is LockFile Ransomware?
LockFile is a new ransomware variant that was first spotted on July 20, 2021 when an attack on a US-based organization occurred. Subsequent attacks on at least ten more organizations were followed up till August 20. Although the threat actors behind LockFile are targeting vulnerable Exchange servers across the globe, most of its victims are from the United States and Asia. According to Symantec (part of Broadcom Inc), the LockFile has affected the organizations in various sectors, such as financial services, manufacturing, business services, legal, travel, engineering, tourism, etc.
The LockFile ransomware ransom note is similar to the note designed by the LockBit threat group. It also refers to the Conti group in the email that they use.
How is LockFile Ransomware Affecting the Organizations?
The threat actors behind LockFile ransomware access the on-premises Exchange Server using the ProxyShell bug and then use the PetitPotam vulnerability to access the Domain Controller. PetitPotam vulnerability was partially patched by Microsoft last week. Once access to organizations’ domain controller is established, they install tools on the domain controller, such as:
- Exploit for CVE-2021-36942 (PetitPotam)
- Two files: active_desktop_launcher.exe and active_desktop_render.dll that encrypts the systems and devices on the network
Once the threat actors are in your network and controlling the domain controller, they deploy the LockFile ransomware and some batch files and executables on the domain controller.
According to Symantec, “The files are copied in the ‘sysvol\domain\scripts’ directory, which is used to deploy scripts to network clients when they authenticate to the domain controller. This means any clients that authenticate to the domain after these files are copied will execute them.”
Update: The threat actors behind LockFile ransomware are now taking advantage of a new technique called intermittent encryption to speed up the data encryption process. This technique was earlier utilized by ransomware, such as DarkSide, LickBit 2.0, and BlackMatter. Instead of encrypting first few blocks, the LockFile ransomware encrypts every 16 bytes of the file. This makes the file or data partially readable, which may trick the software from detecting the ransomware.
How to Protect your Organization from LockFile Ransomware?
Organizations using the Active Directory Certificate Services (AD CS) with the following services are potentially vulnerable to PetitPotam attack.
- Certificate Authority Web Enrollment
- Certificate Enrollment Web Service
However, Microsoft has shared methods to mitigate the PetitPotam attack. After mitigating the risks, follow these steps to patch your Exchange Server and safeguard your organization against LockFile and other malicious attacks.
Step 1: Run Exchange Server Health Checker Script
Download the Exchange Server Health Checker Script or HealthChecker.ps1 from GitHub and execute it on your Exchange Server 2013, 2016, or 2019. The steps are as follows:
- Open Exchange Management Shell (EMS) and navigate to the folder location where HealthChecker.ps1 script is downloaded.
- Then execute the following command to run the script on the server,
.\HealthChecker.ps1
- You may also run the script for a specific server by using -Server parameter.
.\HealthChecker.ps1 -Server Exch01
- If the output results in error and the script does not run, execute the following command in EMS and then run the HealthChecker.ps1 script.
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass
If the script displays the vulnerabilities, you need to patch them by downloading and installing the updates released by Microsoft. You may also further investigate and mitigate the risks using the EOMT tool.
Step 2: Run EOMT
EOMT is a one-click Exchange On-Premises Mitigation tool released by Microsoft. The steps to use the EOMT tool are as follows:
- Download the EOMT.ps1 on your system and then open EMS.
- In the EMS window, navigate to the EOMT.ps1 location and then execute the following command:
.\EOMT.ps1
- The tool runs MSERT or Microsoft Safety Scanner in Quick Scan mode to find and remove threats and web shells installed by threat actors.
Step 3: Download and Install Exchange Server Updates
Now you can download and install the Exchange Server updates to patch the ProxyShell and other vulnerabilities and protect your servers from threats. For details on Exchange Server security updates and installation, refer to our blog on Microsoft Exchange Remote Code Execution Vulnerability Flaws and their Fixes.
To Wrap Up
The LockFile ransomware group exploited a vulnerability that Microsoft partially patched in May this year. However, according to security researcher Kevin Beaumont, tens of thousands of Exchange Servers are not patched and are vulnerable to ProxyLogon and ProxyShell attacks. The best defense is to enable automatic updates and install the latest Exchange Server security updates released from March 2021. However, if your server is compromised or crashed due to malicious attacks, you can use the backup to restore mailboxes on a new server. Alternatively, you can use an Exchange recovery software, such as Stellar Repair for Exchange, to recover mailboxes from inaccessible databases (when backups aren’t available or obsolete).
