LockFile Ransomware Bypasses Safety Utilizing Intermittent File Encryption

LockFile Ransomware

A brand new ransomware household that emerged final month comes with its personal bag of methods to bypass ransomware safety by leveraging a novel approach known as “intermittent encryption.”

Referred to as LockFile, the operators of the ransomware has been discovered exploiting just lately disclosed flaws similar to ProxyShell and PetitPotam to compromise Home windows servers and deploy file-encrypting malware that scrambles solely each alternate 16 bytes of a file, thereby giving it the power to evade ransomware defences.

Stack Overflow Teams

“Partial encryption is usually utilized by ransomware operators to hurry up the encryption course of and we have seen it applied by BlackMatter, DarkSide and LockBit 2.0 ransomware,” Mark Loman, Sophos director of engineering, stated in a press release. “What units LockFile aside is that, in contrast to the others, it does not encrypt the primary few blocks. As a substitute, LockFile encrypts each different 16 bytes of a doc.”

“Which means a file similar to a textual content doc stays partially readable and appears statistically like the unique. This trick may be profitable towards ransomware safety software program that depends on inspecting content material utilizing statistical evaluation to detect encryption,” Loman added.

Sophos’ evaluation of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.

As soon as deposited, the malware additionally takes steps to terminate crucial processes related to virtualization software program and databases through the Home windows Administration Interface (WMI), earlier than continuing to encrypt crucial recordsdata and objects and show a ransomware be aware that bears stylistic similarities with that of LockBit 2.0.


The ransom be aware additionally urges the sufferer to contact a particular electronic mail deal with “[email protected],” which Sophos suspects might be a derogatory reference to a competing ransomware group known as Conti.

Enterprise Password Management

What’s extra, the ransomware deletes itself from the system publish profitable encryption of all of the paperwork on the machine, that means that “there is no such thing as a ransomware binary for incident responders or antivirus software program to search out or clear up.”

“The message right here for defenders is that the cyberthreat panorama by no means stands nonetheless, and adversaries will rapidly seize each doable alternative or software to launch a profitable assault,” Loman stated.

The disclosure comes because the U.S. Federal Bureau of Investigation (FBI) launched a Flash report detailing the ways of a brand new Ransomware-as-a-Service (RaaS) outfit referred to as Hive, consisting of numerous actors who’re utilizing a number of mechanisms to compromise enterprise networks, exfiltrate knowledge and encrypt knowledge on the networks, and try to gather a ransom in trade for entry to the decryption software program.

Source link