Last Updated on 22/11/2021 by Riya
Windows’ Domain lost its penetrating power, after the discovery of a new attacking method namely PetitPotam NTLM relay. The method appeared for the first time in July, by a new ransomware gang named LockFile. The U.S. and Asian regions are the main assault targets, affecting organizations dealing with the following sectors- engineering, travel and tourism, business, legal and financial.
Tactics followed:
Security researchers at, a division of Broadcom, Symantec believes that the attackers gained access via Microsoft Exchange Servers, yet the original method remains dark. Then, they take over the company’s domain controller by applying the PetitPotam method, coercing authentication to isolate the NTLM relay under LockFile’s control.
Once the domain system is under control, they do whatever they want to. In July, it was discovered by security researcher Gilles Lionel, that the PetitPotam method comes up with various variants. Although through regular updates Microsoft tried to weaken it, but not completely block it.LockFile appears to be using an open-source code to misuse the original PetitPotam variant.
Similar to the gamechanger:LockFile appears to be similar to the one, who destroyed many organizations infiltrated their systems, and gained a lot of profit. Even their reference pattern to the Conti gang in the email address is non-hindered.
Pattern:
When analyzed closely, an attack chain appeared to the researchers. They spend at least few days on the network before releasing the malware and encrypting the file. To destroy the victim’s Exchange server they run a Power Shell command to download a file. Lastly, i.e.; before 20 to 30 minutes of malware release, they take over the domain controller via installing two files on the Exchange Server. Files-active_desktop_render.dllactive_desktop_launcher.exe (legitimate KuGou Active Desktop launcher)To dodge detection by the security software, the legitimate KuGou Active Desktop launcher is malfunctioned to load the malicious DLL.
DLL further tries to load and decrypt a file named “destop.ini” containing shellcode. In the Final Step, they copied the LockFile ransomware payload on the local domain controller and pushing it through the network with the help of script and executables.LockFile is an advanced version of ransomware, growing so rapidly would leave other ransomware groups behind.
