LockFile Ransomware Uses Sophisticated New Encryption Technique To Avoid Detection

by | September 4, 2021 | Cybersecurity News

Sophos researchers discovered in July that the bad guys behind LockFile ransomware had changed their attack strategy, exploiting the ProxyShell vulnerabilities in Microsoft Exchange servers.

LockFile Ransomware – An Emerging Threat To Be Feared?

Cybersecurity experts spotted new ransomware gaining popularity right after the discovery of the ProxyShell vulnerabilities in Microsoft Exchange servers. The threat, called LockFile, uses a mix of tactics from previous ransomware groups and a never before seen “intermittent encryption” technique to avoid detection.

LockFile ransomware was discovered by researchers at Sophos. It encrypts every 16 bytes of a file, meaning some conventional anti-ransomware solutions won’t even notice it, because “an encrypted document looks statistically very similar to the unencrypted original,” Mark Loman, director, engineering, for next-gen technologies at Sophos, wrote in a report on LockFile published last week.

LockFile Ransomware exploits ProxyShell vulnerabilities in Microsoft Exchange servers.

“We haven’t seen intermittent encryption used before in ransomware attacks,” he added.

According to researchers, the new ransomware starts by exploiting unpatched ProxyShell flaws and then seizes control of a victim’s domain by using a so-called PetitPotam NTLM relay attack.

In this kind of attack, the hacker connects to a server using Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC), hijacks the authentication process, and manipulates the results to trick the server into ‘believing’ the attacker has a legitimate right to access it, according to an earlier report from Sophos.

“Like WastedLocker and Maze ransomware, LockFile ransomware uses memory mapped input/output (I/O) to encrypt a file,” Loman wrote in the report. “This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”

A Closer Look

Sophos experts examined LockFile using a sample of it with the SHA-256 hash “bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce” that they discovered on VirusTotal. After opening it, the researchers found only three functions and three sections.

The first section is named ‘OPEN’ and contains no data but only zeroes. The second section, ‘CLSE,’ however, includes the three functions of the sample.

“The entry() function is simple and calls FUN_1400d71c0():,” researchers said. “The FUN_1400d71c0() function decodes the data from the CLSE section and puts it in the OPEN section. It also resolves the necessary DLLs and functions. Then it manipulates the IMAGE_SCN_CNT_UNINITIALIZED_DATA values and jumps to the code placed in the OPEN section.”

Researchers reverse-engineered the code and found the ransomware’s main function, the first step of which creates a crypto library that LockFile most likely uses for its encryption processes.

The ransomware then terminates all processes with vmwp in their name using the Windows Management Interface (WMI) command-line tool WMIC.EXE. It then goes on to repeat the process for other critical businesses linked to virtualization software and databases, according to researchers.

By leveraging WMI, the ransomware itself is not directly associated with the abrupt termination of these typical business critical processes,” Sophos explained. “Terminating these processes will ensure that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.”

Researchers said LockFile ransomware modifies the encrypted files to lower case and adds a ‘.lockfile’ file extension. It also includes an HTML Application (HTA) ransom note that strikingly resembles that of LockBit 2.0.

“In its ransom note, the LockFile adversary asks victims to contact a specific e-mail address: contact[@]contipauper.com,” they said, adding that the domain name—which appears to have been created on Aug. 16 and to be a “derogatory reference” to the Conti Gang, a still-active and competing cybercriminals group.

What Is Intermittent Encryption?

It’s not the partial encryption method that makes LockFile ransomware stand out, but the unique way it uses it.

“What sets LockFile apart is that it doesn’t encrypt the first few blocks,” Loman noted. “Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable.”

The main advantage of this technique is that it evades protection solutions based on “chi-squared (chi^2)” analysis.

“An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061,” Loman explained. “If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811.”

Following the complete encryption of all files on the victim’s machine, LockFile vanishes, deleting itself. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up,” researchers wrote.

Protect Your Company from Ransomware Attacks with ATTACK Simulator

The majority of ransomware attacks have one major aspect in common: their infectious vector – phishing emails.

Here at ATTACK Simulator, we put ourselves in the attacker’s shoes as we believe that understanding their thinking and actions is vital in designing an accurate simulation. We believe that the best approach in educating your employees on cybersecurity practices is exposing them to life-like phishing simulations.

Here’s our comprehensive approach to phishing simulations:

  • Automated attack simulation – we simulate all kinds of cyberattacks.
  • Real-life scenarios – we evaluate users’ vulnerability to give company or pesonal data away using realistic web-pages.
  • User behaviour analysis – we gather user data and compile it in extensive reports to give you a detailed picture of your employees’ security awareness level.
  • Malicious file replicas – our emails contain malware file repilcas, to make the simulation as realistic as it can be.
  • Interactive lessons – if employees fail to recognize our traps and fall into one, they will discover lessons on the best security practices.

Ransomware attacks can happen at any time and can deal a heavy blow to your company.

As they say, better to be safe than sorry. Choose to be safe from online dangers and request your quote today.


Sophos news.sophos.com/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/

ThreatPost threatpost.com/lockfile-ransomware-avoid-detection/


Feature Image: Image by Katie White from Pixabay

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.