[MART] - Daily Diary #331 - LockFile Ransomware Using PetitPotam Variation

[CTAS-MAT]

Hello,

I hope everyone is doing well!

Below is the entry for today.

08/20/2021 - Diary entry #331:

A new ransomware gang named Lockfile was seen, since July, using a recent technique called PetitPotam. PetitPotam consist in the abuse of a legitimate function, allowing an attacker to take over a Windows domain controller. Mentioned in our Daily Diary #323, Microsoft released a patch to block this attack, but variations already emerged.

Lockfile gang was spotted in recent attacks accessing targets through Microsoft Exchange servers. To move laterally and deploy the ransomware, the threat actor takes over the target's domain controller by using the PetitPotam variation. This new variant, published on Github and dubbed as EfsPotato, forces an authentication to a remote NTLM relay controlled by LockFile.

After taking over the Domain controller, the group can execute commands and deploy its ransomware. Lockfile's ransomware note is similar to the one used by LockBit group and its contact email for negotiation has a reference to the Conti group. It's not clear yet if those groups share resources or if they are working together.

Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210820/109ac667/attachment.htm>