Microsoft Exchange server hacked by LockFile ransomware

The hacker group behind a new ransomware called LockFile has encrypted Windows domains after hacking into Microsoft Exchange servers with the ProxyShell vulnerability.

ProxyShell is the name of an attack that includes a series of three Microsoft Exchange vulnerabilities. If the exploit is successful, the hacker can execute code remotely without authentication.

These three vulnerabilities were discovered by a security researcher. He linked them together to take control of a Microsoft Exchange server in April at the Pwn2Own 2021 hacking contest.

The list of 3 specific vulnerabilities is as follows:

1. CVE-2021-34473 (patched in April with update KB5001779)
2. CVE-2021-34523 (patched in April with update KB5001779)
3. CVE-2021-31207 (patched in May with update KB5003435)

Since Microsoft has released patches for all three vulnerabilities, many technical details have been revealed. Therefore, both security researchers and hackers can easily develop exploit methods.

Among these, appeared a new ransomware called LockFile. The people behind this ransomware are actively scanning for unpatched Microsoft Exchange servers.

By taking advantage of ProxyShell, an attacker will get into Microsoft Exchange servers. They then continued to exploit the PetitPotam vulnerability to take control of the domain driver and then the Windows domain.

From here, they spread ransomware to the entire network of the attacked company or organization.

LockFile is a newly emerged ransomware. According to experts' research, LockFile is quite troublesome when it takes up a lot of system resources and causes the computer to temporarily freeze if infected.

To avoid being attacked by hackers, security experts recommend that users and enterprise IT administrators immediately update to the latest Windows 10 patches.