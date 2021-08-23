A new ransomware operator known as LockFile encrypts Windows domains after breaking into vulnerable Microsoft Exchange servers using the recently disclosed ProxyShell exploit.

ProxyShell is the collective name of the exploit that consists of three chained vulnerabilities in Microsoft’s popular hosted email server vulnerabilities that give attackers unauthenticated, remote code execution powers.

While Microsoft fully patched these vulnerabilities in May 2021, more technical details were shared at the recently concluded Black Hat 2021 by cybersecurity researcher Orange Tsai, who discovered the ProxyShell vulnerabilities.

BleepingComputer reports that the new details shared by Tsai allowed both security researchers and threat actors to reproduce the exploit .

Ransomware on Exchange

Following the talk, security researcher Kevin Beaumont noticed that threat actors began probing his Microsoft Exchange honeypot for the ProxyShell vulnerabilities once again.

Another security researcher Rich Warren, whose Exchange honeypot was also probed using the new attack vector, told BleepingComputer that while the initial payload deployed by the attackers on vulnerable servers was benign, it would soon be swapped out with something a lot more malicious, once the attackers have managed to break into enough servers.

His fears have now come true.

Beaumont now reports that a new ransomware operation known as LockFile uses ProxyShell to compromise the Exchange servers and then exploits the Windows PetitPotam vulnerabilities to take over Windows domains in order to encrypt devices.

First seen in July, BleepingComputer says there is very little known about the LockFile ransomware as of now. In any case, security experts urge users to immediately patch their Exchange servers by installing the latest cumulative updates.

