A brand new ransomware household that emerged final month comes with its personal bag of tips to bypass ransomware safety by leveraging a novel method known as “intermittent encryption.”
Referred to as LockFile, the operators of the ransomware have been discovered exploiting lately disclosed flaws comparable to ProxyShell and PetitPotam to compromise Home windows servers and deploy file-encrypting malware that scrambles solely each alternate 16 bytes of a file, thereby giving it the flexibility to evade ransomware defences.
“Partial encryption is mostly utilized by ransomware operators to hurry up the encryption course of and we have seen it applied by BlackMatter, DarkSide and LockBit 2.0 ransomware,” Mark Loman, Sophos director of engineering, stated in a press release. “What units LockFile aside is that, in contrast to the others, it does not encrypt the primary few blocks. As a substitute, LockFile encrypts each different 16 bytes of a doc.”
“Which means that a file comparable to a textual content doc stays partially readable and appears statistically like the unique. This trick will be profitable in opposition to ransomware safety software program that depends on inspecting content material utilizing statistical evaluation to detect encryption,” Loman added.
Sophos’ evaluation of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.
As soon as deposited, the malware additionally takes steps to terminate essential processes related to virtualization software program and databases by way of the Home windows Administration Interface (WMI), earlier than continuing to encrypt essential recordsdata and objects, and show a ransomware be aware that bears stylistic similarities with that of LockBit 2.0.
The ransom be aware additionally urges the sufferer to contact a selected electronic mail deal with “[email protected],” which Sophos suspects could possibly be a derogatory reference to a competing ransomware group known as Conti.
What’s extra, the ransomware deletes itself from the system publish profitable encryption of all of the paperwork on the machine, that means that “there isn’t a ransomware binary for incident responders or antivirus software program to seek out or clear up.”
“The message right here for defenders is that the cyberthreat panorama by no means stands nonetheless, and adversaries will rapidly seize each potential alternative or instrument to launch a profitable assault,” Loman stated.
The disclosure comes because the U.S. Federal Bureau of Investigation (FBI) launched a Flash report detailing the techniques of a brand new Ransomware-as-a-Service (RaaS) outfit often known as Hive, consisting of a variety of actors who’re utilizing a number of mechanisms to compromise enterprise networks, exfiltrate knowledge and encrypt knowledge on the networks, and try to gather a ransom in trade for entry to the decryption software program.