HomeWinBuzzer NewsMicrosoft Exchange Server Attacks: LockFile Ransomware Uses a Novel Attack Method

Microsoft Exchange Server Attacks: LockFile Ransomware Uses a Novel Attack Method

Researchers for security firm Sophos says the LockFile ransomware targeting Microsoft Exchange servers uses “intermittent encryption”.


Last week we reported on the LockFile that is targeting Exchange servers since July. This week, more information regarding the threat has emerged, providing fresh details into the level of the attacks.

Security researchers at Sophos say LockFile has been targeting vulnerable servers by exploiting ProxyShell flaws in the platform. It uses an “intermittent encryption” attack to stay away from security tools.

Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.

Specifically, LockFile encrypts on every 16 bytes of a file, which means many anti-ransomware software services cannot detect it. In fact, Sophos points out says this method allows encrypted files to look similar to unencrypted documents.


“We haven't seen intermittent encryption used before in ransomware attacks,” Mark Loman, director, engineering for next-gen technologies for Sophos wrote.

Despite its novel attack method, LockFile does share some familiarities with other ransomware. For example, it does not need to access command-and-control to communicate and hide.

“Like WastedLocker and Maze ransomware, LockFile ransomware uses memory mapped input/output (I/O) to encrypt a file,” Loman wrote in the report. “This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”

It taps into Microsoft's Windows Management Interface (WMI) command line tool to terminate all processes. Next it moves to other critical processes to take control of a server.

“By leveraging WMI, the ransomware itself is not directly associated with the abrupt termination of these typical business critical processes,” Sophos adds. “Terminating these processes will ensure that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.”

Tip of the day: Is your system drive constantly full and you need to free up space regularly? Try Windows 10 Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.

Last Updated on February 14, 2022 8:21 pm CET

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News