New LockFile ransomware gang weaponizes ProxyShell and PetitPotam attacks

A new ransomware group has weaponized two recently disclosed vulnerabilities in order to improve their chances at breaching, taking over, and encrypting corporate networks.

Named LockFile, this new ransomware gang has been seen exploiting a vulnerability known as ProxyShell to gain access to Microsoft Exchange email servers, from where it pivots to companies' internal networks, according to reports from security firm TG Soft and security researcher Kevin Beaumont.

Once inside, LockFile operators abuse an attack method known as PetitPotam to take over a company's Windows domain controller and then deploy their file-encrypting payloads to connected workstations, according to a report published on Friday by security firm Symantec.

Details about the PetitPotam attack and the ProxyShell vulnerability have been disclosed at the end of July and early August, respectively, showing once again that cybercrime gangs are quite quick to weaponize exploits when they enter the public domain.

Symantec said the group has already hit at least ten organizations, with most of its victims based in the US and Asia.

"The LockFile ransomware was first observed on the network of a US financial organization on July 20, 2021, with its latest activity seen as recently as August 20," the company said last week.

Currently, details about this ransomware operation are still scarce. What is known is that LockFile is trying to mimic the visual style of the ransom notes used by LockBit, a more well-known ransomware gang that recently has seen a spike in use in the criminal underworld.


To prevent the LockFile gang from gaining access to their systems, companies are advised to apply patches for the PetitPotam and ProxyShell vulnerabilities.

PetitPotam patches and mitigations are detailed here.

ProxyShell security patches have shipped with May and July Windows security updates (CVE-2021-31207CVE-2021-34473, and CVE-2021-34523).

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.