loader image

rThreat Adversary Spotlight: Lockfile Ransomware

Lockfile Ransomware primarily attacks financial institutions, encrypting the user’s system and displaying a message with instructions for payment. The primary point of access are Microsoft Exchange servers, utilizing the Proxyshell vulnerabilities.

Ransomware continues to be one of the biggest threats to cybersecurity for most companies. For those who may not know, ransomware is a type of malware that encrypts company information to make it unusable by the target and then demands a ransom payment to the malware author to have that information decrypted and returned to the business. It’s extremely effective because most companies need their electronic data to function, which means they will be willing to pay the ransom. In this article, we will be discussing the Lockfile ransomware, which is being used to exploit Windows machines.

What is a Lockfile?

Lockfile is a threat actor group known for their ransomware attacks, namely the Lockfile Ransomware that they created. The Lockfile Ransomware was first found on the network of a US financial institution back on July 20th 2021, and was last active on August 20th. Like most ransomware, it encrypts the user’s system and displays a message with instructions for payment.

Lockfile Ransom

This ransomware encrypts Windows domains after getting access to Microsoft Exchange servers using the Proxyshell vulnerabilities. Proxyshell is the name of an attack that uses three Microsoft Exchange vulnerabilities, which when exploited together, allows for unauthenticated access and remote code. Proxyshell was discovered by a security researcher named Orange Tsai, who used it during a hacking competition, Pwn2Own, in 2021. The vulnerabilities are as follows:

CVE-2021-34473 – Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779)

CVE-2021-34523 – Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779)

CVE-2021-31207 – Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)

Fortunately, Microsoft has released patches for these vulnerabilities back in May 2021, but recently, more details were released on these vulnerabilities. This has allowed threat actors to reproduce this exploit and that is what the Lockfile Ransomware does.

How to Defend Against Lockfile Ransomware

The first thing you should do to defend against this ransomware is to apply the appropriate patches. Microsoft has already released patches for Microsoft Exchange servers that you can find here to protect you against this malware.

The second solution is to have continuous security validation. This means having a platform in your security stack that can challenge your cyber defenses on a regular basis to evaluate the effectiveness of controls and security teams. If this is the first time you have heard of the Lockfile Ransomware, that means you have gone months without even being aware of a potential threat to your company. If your security staff had a similar experience, that means you have been vulnerable for a long time to threats like this. New threats are created every day, and it’s much easier to automate this process than it would be to manually keep track of new attack methodologies and perform point-in-time, manual assessments.

rThreat’s breach and attack emulation platform provides continuous validation-as-a-service so you can challenge your cybersecurity using Lockfile ransomware and other similar threats as they are released in the wild. If you’d like to see how our platform validates controls using Lockfile, request a free demo of rThreat here.


Do you want to learn more about cybersecurity? Please subscribe to our newsletter.