Researchers have reported the discovery of a new ransomware family, known as LockFile. The malware was first observed on a network belonging to a US financial organization. Other victims reside in the manufacturing, engineering, legal, businesses services and tourism sectors. Information pertaining to this ransomware threat remains limited, but we’ll share what we know.

In recent weeks, cyber security experts noted that the ransomware appeared on the networks of 10 firms. While this number may sound trivial, the potential for additional infections is considered extremely high. Here’s why…

LockFile in-action

When LockFile infiltrates systems, it encrypts all files. Then, it renames files using a “.lockfile” extension. Afterwards, victims receive a message prompting them to contact operators to negotiate file recovery.

The LockFile ransomware family targets Microsoft Exchange servers via ProxyShell and PetitPotam. The latter attack targets domain controllers, enabling hackers to acquire full network control.

Researchers state that LockFile relies on a series of existing, often unpatched vulnerabilities. Although Microsoft presented patches for these vulnerabilities earlier this year, researchers affirm that the exploit can be recreated. In turn, this allows for the continuation of LockFile attacks.

Tens of thousands of systems at-risk

“Tens of thousands of Exchange servers are still vulnerable to ProxyLogon and ProxyShell,” stated researcher Kevin Beaumont, on August 21st. Of the vulnerable group, some could be honeypots, although the majority most likely are not.

CISA warning

The US Cybersecurity and Infrastructure Security Agency strongly advocates for organizations to determine whether or not vulnerabilities exist in their systems. The majority of known victims reportedly maintain headquarters in the US or Asia. However, that could change quickly.

Methodologies for mitigating the PetitPotam attack are available via Microsoft’s website. In summary, to prevent LockFile from accessing your systems, apply recommended patches for the PetitPotam and ProxyShell vulnerabilities. The ransomware attackers behind this scheme can target Exchange servers lacking updates.

Ransomware operators involved

The ransomware notes on systems appear to resemble those of the LockBit ransomware gang and make reference to the Conti Gang, providing clues about who’s responsible for the ransomware deployments. At present, researchers believe that this ransomware family may have links to previously observed or retired threats.

After receiving international limelight, the REevil ransomware gang “disappeared” from the internet. Similarly, DarkSide ransomware attackers have also gone silent. Experts suggest that these attackers could reinvent themselves under new monikers. LockFile as a ransomware group revival strategy?

Ransomware threat landscape

Ransomware represents an ever-evolving threat vector and attacks continue to pummel organizations worldwide. Since 2020, ransomware attacks have increased by 93%. Since January of 2021, ransomware attacks have jumped by 300% in the US. What will we see by the end of the year?

Organizations have paid as much as $18 billion to resolve ransomware-related cyber attacks. As ransomware infections have unfolded, organizations have also lost valuable productive work time and in some cases, have experienced significant profit losses. While there are never any guarantees, a strong cyber security posture can substantially reduce risk. Is your organization prepared?

For further insights into emerging ransomware threats, read Believe it or Not, This is What’s Happening with Ransomware, and Accenture’s $50M Ransomware Threat, an Inside Job? Lastly, sign up for our newsletter here.