LockFile Ransomware Bypasses Safety Utilizing Intermittent File Encryption

LockFile Ransomware

A brand new ransomware household that emerged final month comes with its personal bag of methods to bypass ransomware safety by leveraging a novel method referred to as “intermittent encryption.”

Referred to as LockFile, the operators of the ransomware have been discovered exploiting lately disclosed flaws reminiscent of ProxyShell and PetitPotam to compromise Home windows servers and deploy file-encrypting malware that scrambles solely each alternate 16 bytes of a file, thereby giving it the flexibility to evade ransomware defences.

Stack Overflow Teams

“Partial encryption is usually utilized by ransomware operators to hurry up the encryption course of and we have seen it applied by BlackMatter, DarkSide and LockBit 2.0 ransomware,” Mark Loman, Sophos director of engineering, stated in an announcement. “What units LockFile aside is that, not like the others, it does not encrypt the primary few blocks. As a substitute, LockFile encrypts each different 16 bytes of a doc.”

“Which means that a file reminiscent of a textual content doc stays partially readable and appears statistically like the unique. This trick may be profitable towards ransomware safety software program that depends on inspecting content material utilizing statistical evaluation to detect encryption,” Loman added.

Sophos’ evaluation of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.

As soon as deposited, the malware additionally takes steps to terminate crucial processes related to virtualization software program and databases through the Home windows Administration Interface (WMI), earlier than continuing to encrypt crucial information and objects, and show a ransomware word that bears stylistic similarities with that of LockBit 2.0.


The ransom word additionally urges the sufferer to contact a particular e-mail handle “[email protected],” which Sophos suspects may very well be a derogatory reference to a competing ransomware group referred to as Conti.

Prevent Ransomware Attacks

What’s extra, the ransomware deletes itself from the system submit profitable encryption of all of the paperwork on the machine, which means that “there is no such thing as a ransomware binary for incident responders or antivirus software program to seek out or clear up.”

“The message right here for defenders is that the cyberthreat panorama by no means stands nonetheless, and adversaries will rapidly seize each attainable alternative or instrument to launch a profitable assault,” Loman stated.

The disclosure comes because the U.S. Federal Bureau of Investigation (FBI) launched a Flash report detailing the techniques of a brand new Ransomware-as-a-Service (RaaS) outfit generally known as Hive, consisting of plenty of actors who’re utilizing a number of mechanisms to compromise enterprise networks, exfiltrate information and encrypt information on the networks, and try to gather a ransom in alternate for entry to the decryption software program.

Source link