A new ransomware family called LockFile has started targeting Microsoft Exchange servers via ProxyShell and PetitPotam.
Security researchers have discovered a new ransomware family called LockFile that appears to have been used to attack Microsoft Exchange servers in the U.S. and Asia since at least July 20. Symantec said when it revealed LockFile on Aug.20 that it found evidence of the ransomware targeting at least 10 organizations over the course of a single month. The security company said LockFile’s operators used an attack called PetitPotam, which targets a domain controller to gain control over an entire network, but it didn’t know how the attackers gained access to the servers. DoublePulsar’s Kevin Beaumont did. He reported that his personal honeypot project—an intentionally exposed server that can be used to learn more about hacking attempts—was targeted by LockFile’s operators on Aug.13 and Aug.16. Those attacks revealed that LockFile was exploiting a series of vulnerabilities in Microsoft Exchange known collectively as ProxyShell.
