LockFile is a new family of ransomware that exploits the ProxyShell vulnerabilities to breach targets with unpatched, on premises Microsoft Exchange servers.

According to Sophos, the new ransomware family emerged in July 2021 after the discovery of the ProxyShell vulnerabilities in Microsoft Exchange servers, followed by a PetitPotam NTLM relay attack to seize control of the domain. It employs “intermittent encryption” to evade detection by ransomware protection solutions, as an encrypted document appears statistically similar to the unencrypted original.

Interestingly, LockFile doesn't encrypt the first few blocks, but instead, it encrypts every other 16 bytes of a document, which means that a file like text document will remain partially readable and looks statistically like the original.

How LockFile bypasses Ransomware Protection using Intermittent Encryption?



LockFile uses memory mapped input/output (I/O) to encrypt a file, which technique allows the ransomware to transparently encrypt cached documents in memory and causes the system to write the encrypted documents, with minimal disk I/O that could be spotted by detection technologies.



It renames encrypted documents to lower case with a .lockfile file extension, while its HTA ransom note looks very similar to that of LockBit 2.0. and LockFile doesn’t need to connect to a command-and-control center to communicate, which also helps to keep its activities under the detection radar.

The ransomware also terminatea critical processes associated with virtualization software and databases through the Windows Management Interface (WMI), before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.

And the ransomware deletes itself from the system after successful encryption of all the documents on the machine, which makes it difficult for incident responders or antivirus software to find or clean up.

What sets LockFile apart is that it doesn’t encrypt the first few blocks. Instead, it encrypts every other 16 bytes of a document. That means that a text document, for instance, remains partially readable. And there is an intriguing advantage to taking this approach: intermittent encryption skews statistical analysis which in turn confuses some protection technologies.

LockFile Ransomware evades detection using Intermittent Encryption

LockFile is a new family of ransomware that exploits the ProxyShell vulnerabilities to breach targets with unpatched, on premises Microsoft Exchange servers.

According to Sophos, the new ransomware family emerged in July 2021 after the discovery of the ProxyShell vulnerabilities in Microsoft Exchange servers, followed by a PetitPotam NTLM relay attack to seize control of the domain. It employs “intermittent encryption” to evade detection by ransomware protection solutions, as an encrypted document appears statistically similar to the unencrypted original.

Interestingly, LockFile doesn't encrypt the first few blocks, but instead, it encrypts every other 16 bytes of a document, which means that a file like text document will remain partially readable and looks statistically like the original.

How LockFile bypasses Ransomware Protection using Intermittent Encryption?



LockFile uses memory mapped input/output (I/O) to encrypt a file, which technique allows the ransomware to transparently encrypt cached documents in memory and causes the system to write the encrypted documents, with minimal disk I/O that could be spotted by detection technologies.



It renames encrypted documents to lower case with a .lockfile file extension, while its HTA ransom note looks very similar to that of LockBit 2.0. and LockFile doesn’t need to connect to a command-and-control center to communicate, which also helps to keep its activities under the detection radar.

The ransomware also terminatea critical processes associated with virtualization software and databases through the Windows Management Interface (WMI), before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.

And the ransomware deletes itself from the system after successful encryption of all the documents on the machine, which makes it difficult for incident responders or antivirus software to find or clean up.

What sets LockFile apart is that it doesn’t encrypt the first few blocks. Instead, it encrypts every other 16 bytes of a document. That means that a text document, for instance, remains partially readable. And there is an intriguing advantage to taking this approach: intermittent encryption skews statistical analysis which in turn confuses some protection technologies.

No comments