A new ransomware variant has been making the rounds in the cyberthreat landscape. Security experts from Sophos uncovered new ransomware dubbed LockFile targeting victims with a new kind of intermittent encryption technique. The researchers stated that LockFile operators are found exploiting lately discovered security vulnerabilities, including ProxyShell and PetitPotam to compromise Microsoft Exchange servers and deploy malware.
LockFile Intermittent Encryption
The researchers stated that LockFile ransomware encrypts every 16 bytes of a file with its intermittent encryption technique, which helps the ransomware to evade security detections. It is found that LockFile ransomware uses memory-mapped input/output (I/O) to encrypt a file that allows the attackers to stealthily encrypt cached documents in the compromised system’s memory and renames them to lower case and adds a .lockfile file extension.
After encrypting all the documents on the infected device, the LockFile ransomware deletes itself with the cmd /c ping 127.0.0.1 -n 5 && del “C:\Users\Mark\Desktop\LockFile.exe” && exit command, which means there will be no ransomware binary for incident responders or antivirus software to find or clean up.
Similarities with Other Players
Similar to WastedLocker and Maze ransomware, operators behind LockFile ransomware leverage memory-mapped input/output methods to encrypt compromised files. In addition, researchers also found that LockFile’s ransom note looks similar to LockBit 2.0. ransomware.
“The notable feature of this ransomware is not the fact that it implements partial encryption. LockBit 2.0, DarkSide and BlackMatter ransomware, for example, are all known to encrypt only part of the documents they attack (in their case the first 4,096 bytes, 512 KB and 1 MB respectively,) just to finish the encryption stage of the attack faster. What sets LockFile apart is that is doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable,” said Mark Loman, Sophos director of engineering.
Emerging Ransomware Groups
Infamous ransomware groups like LockBit 2.0, DarkSide, and BlackMatter caused severe damages to organizations globally. LockBit 2.0 ransomware gang is even considered as one of the emerging ransomware groups along with AvosLocker, Hive, and HelloKitty, which have the potential to become prevalent threats in the future. It’s high time governments and organizations collectively disrupt these new ransomware groups before they cause damage to nations’ critical digital assets. Read More Here…