Security disclosed that to have identified a new ransomware family named LockFile, which appears to be the same as the one that was used to attack Microsoft Exchange servers in the United States and Asia earlier this year. In the ongoing campaign, previously unknown ransomware has infected at least ten businesses, according to Symantec. The targeted systems are across various sectors of the Industry.
On July 20, 2021, the LockFile ransomware was first discovered on the network of a US financial institution, and its most recent activity was on August 20.
Working Mechanism
According to Symantec, the attackers gained access to victims’ networks through Microsoft Exchange Servers, then used the PetitPotam vulnerability to gain access to the domain controller, and then spread across the network.
According to United States Cybersecurity and Infrastructure Security Agency (CISA), “Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organisations to identify vulnerable systems on their networks and immediately apply Microsoft’s Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.”
The attackers behind this ransomware are believed to employ a ransom note that looks similar to the LockBit ransomware gang’s and mention the Conti gang in their email address, contact@contipauper.com.
According to the report, the attackers normally install a collection of tools on the hacked Exchange Server roughly 20 to 30 minutes before spreading ransomware. The following are some of them:
* A vulnerability known as CVE-2021-36942 (aka PetitPotam) has been exploited. It appears that the code was copied from https://github.com/zcgonvh/EfsPotato. This is in the “efspotato.exe” file.
* active_desktop_render.dll and active_desktop_launcher.exe are the two files.
The efspotato.exe file, which exploits the PetitPotam vulnerability, is most likely activated by the encrypted shellcode. It was patched in Microsoft’s Patch Tuesday release in August, although it was later discovered that the update did not fully patch the vulnerability.
Manufacturing, financial services, engineering, legal, business services, and travel and tourism industries have all been targeted.