Lockfile Ransomware is a Scary New Threat: Like Nothing We Have Seen Before
Table of Contents
- By Dawna M. Roberts
- Published: Oct 14, 2021
- Last Updated: Mar 18, 2022
Almost daily, there are dozens of stories in the news about hackers finding new ways to break into networks and evade detection. The latest is LockFile ransomware which is doing something we’ve never seen before.
What is Going On?
Sophos Labs recently discovered attacks exploiting ProxyShell vulnerabilities in Microsoft Exchange servers. The unique part is that the LockFile ransomware is using “intermittent encryption” to evade detection.
Threatpost explains,
“Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because “an encrypted document looks statistically very similar to the unencrypted original,” Mark Loman, director, engineering, for next-gen technologies at Sophos, wrote in a report on LockFile published last week.”
The intermittent encryption is something researchers haven’t seen before, and it works well so that the operating system and security software do not detect a problem until it’s too late.
Threatpost says,
“The way it works is that the ransomware exploits vulnerable ProxyShell flaws and then uses a PetitPotam NTLM relay attack to seize control of a victim’s domain. In this type of attack, a threat actor uses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results such that the server then believes the attacker has a legitimate right to access it.”
These hackers are also using other tactics to avoid detection, such as not connecting to a command-and-control center while installing malware and encryption of files.
“Like WastedLocker and Maze ransomware, LockFile ransomware uses memory-mapped input/output (I/O) to encrypt a file,” Loman wrote in the report.
“This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”
After encryption, LockFile renames all document files with lowercase letters and adds a .lockfile extension. The ransomware also includes an HTML-format ransom note that is reminiscent of LockBit 2.0.
Threat researchers at Sophos explain, “In its ransom note, the LockFile adversary asks victims to contact a specific e-mail address: contact[@]contipauper.com,” they said, adding that the domain name—which seems to have been created on Aug. 16–appears to be a “derogatory reference” to the Conti Gang, a still-active and competing ransomware group.
What is Intermittent Encryption?
What sets LockFile apart from other types of ransomware is not just the intermittent encryption (also used by DarkSide and BlackMatter) but the way it does it.
“What sets LockFile apart is that it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable.”
Researchers explain that this technique can elude security software that uses “chi-squared (chi^2)” technology by confusing it, thus getting away with encryption without detection.
Threatpost explains this in detail,
“An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061,” Loman explained. “If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811.”
Even more alarmingly, once all the files have been encrypted, the LockFile ransomware deletes itself completely, leaving no trace for threat researchers to find. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.”
