LockFile Ransomware Circumvents Protection Using Intermittent File Encryption

 

A new ransomware threat known as LockFile has been affecting organizations all around the world since July. It surfaced with its own set of tactics for getting beyond ransomware security by using a sophisticated approach known as "intermittent encryption." 

The operators of ransomware, called LockFile, have been found exploiting recently disclosed vulnerabilities like ProxyShell and PetitPotam to attack Windows servers and install file-encrypting malware that scrambles just every alternate 16 bytes of a file, allowing it to circumvent ransomware defenses. 

Mark Loman, Sophos director of engineering, said in a statement, "Partial encryption is generally used by ransomware operators to speed up the encryption process, and we've seen it implemented by BlackMatter, DarkSide, and LockBit 2.0 ransomware.” 

"What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document." 

"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added. 

Sophos' LockFile analysis is based on evidence published to VirusTotal on August 22, 2021. Once installed, the virus uses the Windows Management Interface (WMI) to terminate important services linked with virtualization software and databases before encrypting critical files and objects and displaying a ransomware message that looks similar to LockBit 2.0's. 

The ransom message further asks the victim to contact "contact@contipauper.com," which Sophos believes they are referencing a rival ransomware organization named Conti. 
 
Furthermore, after successfully encrypting all of the documents on the laptop, the ransomware erases itself from the system, indicating "there is no ransomware binary for incident responders or antivirus software to identify or clear up." 

Loman warned that the takeaway for defenders is that the cyberthreat landscape never sits still, and adversaries will rapidly grasp any chance or weapon available to conduct a successful attack. 

The disclosures come as the U.S FBI published a Flash report outlining the tactics of a new Ransomware-as-a-Service (RaaS) group known as Hive, which consists of many actors who use multiple mechanisms to attack business networks, steal data, encrypt data on the networks, and attempt to collect a ransom in exchange for access to the decryption keys.