LockFile Ransomware

LockFile appears to be a new threat actor on the ransomware landscape. The group appears to have been active since at least June 2021 and, according to findings, has reached an activity level of targeting 10 organizations in a single month. The hackers exploit two different groups of vulnerabilities - the Microsoft Exchange exploits known as ProxyShell and the Windows PetitPotam vulnerabilities. The final payload delivered to the compromised systems is a new strain of ransomware named LockFile. 

Analysis of older LockFile samples shows that is not the most sophisticated ransomware threat out there. During its threatening activities, the threat hijacks a significant portion of the system's resources and can even cause freezes. The name of each encrypted file is appended with '.lockfile' as a new extension. 

Earlier LockFile infections delivered a non-branded ransom note with typical demands of payment using the Bitcoin cryptocurrency. Later, the gang modified the ransom note to identify them as LockFile. The name of the file carrying the ransom-demanding message is '[victim_name]-LOCKFILE-README.hta.' As communication channels, the LockFile gang leaves a TOX account ID and the 'contact@contipauper.com' email address. It should be noted that the email alludes to the Conti Ransomware gang while the color scheme and layout of the ransom note are similar to the ones used by LockBit. So far, not actual relations to the other groups have been found.

The Attack Chain

To establish an initial foothold on the targeted computers, the LockFile threat actor leverages the ProxyShell vulnerabilities, CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207. This set of chained exploits allows the attackers to establish an unauthorized, remote code execution. Once inside, the LockFile hackers move on to the PetitPotam exploit, which provides them with the means to take over a domain controller, and respectively the Windows domain. 

The ProxyShell vulnerabilities were fully patched by Microsoft back in May 2021. However, recently unveiled technical details have made it possible for threat actors to replicate the exploit. Still, installing the patches shouldn't be neglected. Dealing with PetitPotam, on the other hand, is a bit trickier. The currently available Microsoft patch doesn't address the full scope of the vulnerability. Cybersecurity operatives looking to prevent PetitPotam attacks may need to turn to unofficial patches.