LockFile Ransomware uses a new intermittent encryption technique

Pierluigi Paganini August 31, 2021

Recently emerged LockFile ransomware family LockFile leverages a novel technique called intermittent encryption to speed up encryption.

LockFile ransomware gang started its operations last month, recently it was spotted targeting Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. The popular security expert Kevin Beaumont was one of the first researchers to report that the LockFile operators are using the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains.

Sophos researchers discovered that the group is now leveraging a new technique called “intermittent encryption” to speed up the encryption process.

The operators behind LockFile ransomware encrypt alternate blocks of 16 bytes in a document to evade detection. This is the first time that Sophos experts have seen this approach used in a ransomware attack.

“Partial encryption is generally used by ransomware operators to speed up the encryption process and we’ve seen BlackMatter, DarkSide and LockBit 2.0 ransomware implement this technique,” said Mark Loman, director of engineering at Sophos. “What sets LockFile apart is that, unlike the others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware detection software that relies on inspecting content using statistical analysis to detect encryption.”

Sophos experts spotted the new technique while analyzing a LockFile sample (SHA-256 hash: bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce) that was uploaded to VirusTotal on August 22, 2021.

The ransomware leverages Windows Management Interface (WMI) to terminate critical processes associated with virtualization software and databases to remove any locks that could interfere with file encryption.

The ransom note is an HTML Application (HTA) file (e.g., ‘LOCKFILE-README-[hostname]-[id].hta’) that is dropped in the root of the drive. The HTA ransom note used by LockFile closely resembles the one used by LockBit 2.0 ransomware:

lockfile fig11

The victims of the Lockfile ransomware gang are in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.

The ransom note used by the Lockfile gang is similar to the one used by the LockBit ransomware operators and reference the Conti gang in the email address used (contact@contipauper[.]com).

Once encrypted the files, the ransomware will append the .lockfile extension to the encrypted file’s names and deletes ransomware binary from the system.

“Once it has encrypted all the documents on the machine, the ransomware deletes itself with the following command:

cmd /c ping -n 5 && del “C:\Users\Mark\Desktop\LockFile.exe” && exit

The PING command sends five ICMP messages to the localhost (i.e., itself), and this is simply intended as a five second sleep to allow the ransomware process to close itself before executing the DEL command to delete the ransomware binary.” states Sophos. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockfile ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment