A new ransomware family dubbed LockFile that emerged last month uses a technique known as “intermittent encryption.”
The operators of the LockFile ransomware have been discovered targeting ProxyShell and PetitPotam flaws in Windows servers to gain access to data and encrypt files. Their malware encrypts only every alternate 16 bytes of a file, thereby giving it the ability to evade detection.
Cybersecurity firm Sophos analyzed LockFiles’ sample that came from an artifact uploaded to VirusTotal on August 22, 2021.
“Partial encryption is generally used by ransomware operators to speed up the encryption process and we’ve seen it implemented by BlackMatter, DarkSide and LockBit 2.0 ransomware,” said Mark Loman, Sophos director of engineering. “What sets LockFile apart is that, unlike the others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document.”
Since the document is partially readable, some security tools will fail to detect it as ransomware infection:
“This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption,” Loman said.
Before encrypting the files and objects and displaying a ransom note, the malware also tries to terminate processes related to virtualization software and databases via the Windows Management Interface (WMI).
The ransom note contains an email address “firstname.lastname@example.org.” It’s believed that the gang is referring to a rival ransomware group called Conti.
After successfully encrypting all the files on the machine, the ransomware deletes itself. This means that incident responders or security software can’t find these files on the system for later analysis.
“The message here for defenders is that the cyberthreat landscape never stands still, and adversaries will quickly seize every possible opportunity or tool to launch a successful attack,” Loman said.