New ransomware called LockFile targets Microsoft Exchange servers
Ransomware attackers continue to target Microsoft Exchange servers.
What you need to know
- A new ransomware attack known as LockFile is targeting Microsoft Exchange servers.
- LockFile exploits a series of vulnerabilities in Microsoft Exchange known as ProxyShell, according to security researchers.
- If successful, LockFile can be used to spread ransomware throughout a network.
Microsoft Exchange servers are no stranger to malicious attackers going after them. Now, a new threat has emerged known as LockFile. The ransomware has been used to target Microsoft Exchange servers in the U.S. and Asia since at least July 20, 2021, according to a report by Symantec (via PC Gamer). If successful, this type of attack can take over Windows domains and encrypt devices. Once this is done, a threat actor can spread ransomware throughout a network.
LockFile utilizes an exploit known as PetitPotam, according to Symantec. While it's believed that attackers gain access to a network through Microsoft Exchange servers and then use the PetitPotam vulnerability, Symantec says it's "not clear how the attackers gain initial access to the Microsoft Exchange Servers."
In contrast to Symantec's statement, DoublePulsar reports that the attack exploits vulnerabilities in Microsoft Exchange known as ProxyShell.
Bleeping Computer explains that ProxyShell consists of "three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution." These vulnerabilities were initially discovered by Orange Tsai.
Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been able to reproduce the exploit.
The latest Microsoft Exchange cumulative updates (opens in new tab) patch the ProxyShell vulnerabilities used in these attacks. Microsoft does not have a full patch for the PetitPotam attack.
The Cybersecurity & Infrastructure Security Agency also has an advisory on the vulnerabilities:
Windows Central Newsletter
Get the best of Windows Central in your inbox, every day!
Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at firstname.lastname@example.org (opens in new tab).