New LockFile Ransomware Variant Exploits "PetitPotam" Bug

Researchers are warning of a new ransomware variant spreading globally via exploitation of the “PetitPotam” vulnerability partially patched by Microsoft last week.

Symantec said the “LockFile” variant was first spotted on July 20 in an attack on a US financial services organization and has subsequently targeted at least ten corporate victims around the world up to August 20.

Attacks begin by accessing victims’ Microsoft Exchange servers, although this vector isn’t yet clear.

Days after this initial access was established, threat actors installed a set of tools to the compromised server, including an exploit for CVE-2021-36942 (PetitPoam) and additional files designed to download shell code to help with the exploitation.

First discovered by a French researcher around a month ago, PetitPotam is an NTLM relay attack vulnerability that an attacker can use with low privileges to take over a domain controller.

It’s been reported that Microsoft’s Patch Tuesday fix for the bug has not fully patched the vulnerability.

“Once access has been gained to the local domain controller, the attackers copy over the LockFile ransomware, along with a batch file and supporting executables, onto the domain controller. These files are copied into the ‘sysvol\domain\scripts’ directory,” Symantec explained.

“This directory is used to deploy scripts to network clients when they authenticate to the domain controller. This means that any clients that authenticate to the domain after these files have been copied over will execute them.”

The security giant added that although LockFile appears to be a new ransomware variant, it could have links to “previously seen or retired threats.”

Both DarkSide and REvil/Sodinokibi operations have gone silent in recent months after high-profile affiliate attacks put them in the media spotlight and under the scrutiny of the US government.

The threat actors behind LockFile use a similarly designed ransom note to that used by the LockBit gang and reference the Conti group in the email address they use for communications.

What’s Hot on Infosecurity Magazine?