New ransomware called LockFile targets Microsoft Exchange servers

News
By
published

Ransomware attackers continue to target Microsoft Exchange servers.

Surface Pro 7
Surface Pro 7 (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A new ransomware attack known as LockFile is targeting Microsoft Exchange servers.
  • LockFile exploits a series of vulnerabilities in Microsoft Exchange known as ProxyShell, according to security researchers.
  • If successful, LockFile can be used to spread ransomware throughout a network.

Microsoft Exchange servers are no stranger to malicious attackers going after them. Now, a new threat has emerged known as LockFile. The ransomware has been used to target Microsoft Exchange servers in the U.S. and Asia since at least July 20, 2021, according to a report by Symantec (via PC Gamer). If successful, this type of attack can take over Windows domains and encrypt devices. Once this is done, a threat actor can spread ransomware throughout a network.

LockFile utilizes an exploit known as PetitPotam, according to Symantec. While it's believed that attackers gain access to a network through Microsoft Exchange servers and then use the PetitPotam vulnerability, Symantec says it's "not clear how the attackers gain initial access to the Microsoft Exchange Servers."

In contrast to Symantec's statement, DoublePulsar reports that the attack exploits vulnerabilities in Microsoft Exchange known as ProxyShell.

Bleeping Computer explains that ProxyShell consists of "three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution." These vulnerabilities were initially discovered by Orange Tsai.

Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been able to reproduce the exploit.

The latest Microsoft Exchange cumulative updates patch the ProxyShell vulnerabilities used in these attacks. Microsoft does not have a full patch for the PetitPotam attack.

The Cybersecurity & Infrastructure Security Agency also has an advisory on the vulnerabilities:

Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott is a tech journalist at Windows Central, specializing in Windows, Microsoft software, AI, and PCs. He's covered major launches, from Windows 10 and 11 to the rise of AI tools like ChatGPT. Sean's journey began with the Lumia 740, leading to strong ties with app developers. Outside writing, he coaches American football, utilizing Microsoft services to manage his team. He studied broadcast journalism at Nottingham Trent University and is active on X @SeanEndicott_ and Threads @sean_endicott_.