New ransomware called LockFile targets Microsoft Exchange servers

Surface Pro 7
Surface Pro 7 (Image credit: Daniel Rubino / Windows Central)

What you need to know

  • A new ransomware attack known as LockFile is targeting Microsoft Exchange servers.
  • LockFile exploits a series of vulnerabilities in Microsoft Exchange known as ProxyShell, according to security researchers.
  • If successful, LockFile can be used to spread ransomware throughout a network.

Microsoft Exchange servers are no stranger to malicious attackers going after them. Now, a new threat has emerged known as LockFile. The ransomware has been used to target Microsoft Exchange servers in the U.S. and Asia since at least July 20, 2021, according to a report by Symantec (via PC Gamer). If successful, this type of attack can take over Windows domains and encrypt devices. Once this is done, a threat actor can spread ransomware throughout a network.

LockFile utilizes an exploit known as PetitPotam, according to Symantec. While it's believed that attackers gain access to a network through Microsoft Exchange servers and then use the PetitPotam vulnerability, Symantec says it's "not clear how the attackers gain initial access to the Microsoft Exchange Servers."

In contrast to Symantec's statement, DoublePulsar reports that the attack exploits vulnerabilities in Microsoft Exchange known as ProxyShell.

Bleeping Computer explains that ProxyShell consists of "three chained Microsoft Exchange vulnerabilities that result in unauthenticated, remote code execution." These vulnerabilities were initially discovered by Orange Tsai.

Microsoft patched the ProxyShell vulnerabilities in May 2021, but researchers and attackers have since been able to reproduce the exploit.

The latest Microsoft Exchange cumulative updates patch the ProxyShell vulnerabilities used in these attacks. Microsoft does not have a full patch for the PetitPotam attack.

The Cybersecurity & Infrastructure Security Agency also has an advisory on the vulnerabilities:

Malicious cyber actors are actively exploiting the following ProxyShell vulnerabilities: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. An attacker exploiting these vulnerabilities could execute arbitrary code on a vulnerable machine. CISA strongly urges organizations to identify vulnerable systems on their networks and immediately apply Microsoft's Security Update from May 2021—which remediates all three ProxyShell vulnerabilities—to protect against these attacks.

Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at