LockFile, a new ransomware family that emerged in July, has attempted to dodge ransomware protection using a new technique.

What is the new trick?

Sophos highlights the key findings after analyzing LockFile from an artifact that was uploaded to VirusTotal on August 22.
  • LockFile, unlike other ransomware, doesn't encrypt the first few blocks. Instead, it encrypts every other 16 bytes of a document. This technique is called intermittent encryption.
  • It helps the ransomware evade detection by some ransomware security walls because a partially encrypted document looks statistically very similar to the unencrypted original files.

It is a well-known concept manifested by other groups too, including BlackMatter, LockBit 2.0, and DarkSide. Intermittent encryption, moreover, speeds up the encryption process.

About LockFile

  • LockFile was originally spotted in April while exploiting the ProxyShell Vulnerabilities in Exchange Servers. 
  • It also exploited the recently disclosed PetitPotam vulnerability that enables threat actors to completely take over a Windows domain.

Operational characteristics

  • Once inside the targeted system, the malware interrupts processes associated with virtualization software and databases via the Windows Management Interface.
  • The ransomware need not connect to a C2 server to communicate, which also helps to keep its activities under the radar.
  • Further, the ransomware is capable of wiping itself from infected systems post encryption.
  • Lockfile’s ransom note bears stylistic similarities with that of LockBit 2.0.

Bottom line

Recently, many infamous groups have shut their operations down, facing pressure from international law enforcement actions. In the meantime, several new ransomware groups, including Hive ransomware, have been observed using innovative mechanisms to exfiltrate data and encrypt data on the compromised networks. Firms of all sizes are advised to stay vigilant of these threats.

Cyware Publisher