A new Ransomware gang named LockFile has emerged. The group encrypts files on Windows domains after hacking into Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. Proxyshell is a collection of three vulnerabilities that are used to take control of Microsoft Exchange servers. The three vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) were all patched in May 2021 although many organizations that use Exchange have not updated, and the threat level recently became more severe because more technical details were disclosed allowing the exploit to be duplicated. The LockFile threat group has been reported to have used the “PetitPotam” attack method to completely take over Domain Controllers after gaining initial access to Exchange servers via Proxyshell. The leak site for LockFile looks very similar to the LockBit leak site although that appears to be the only similarity. The contact information on the leak site lists firstname.lastname@example.org as the group’s email address, which may indicate that the LockFile group claims a relationship to (or contrast from) the Conti ransomware operation.
When evaluating a Managed Detection & Response (MDR) service there are 5 critical components that