A brand new ransomware household that emerged final month comes with its personal bag of tips to bypass ransomware safety by leveraging a novel method referred to as “intermittent encryption.”
Known as LockFile, the operators of the ransomware have been discovered exploiting just lately disclosed flaws akin to ProxyShell and PetitPotam to compromise Home windows servers and deploy file-encrypting malware that scrambles solely each alternate 16 bytes of a file, thereby giving it the power to evade ransomware defences.
“Partial encryption is mostly utilized by ransomware operators to hurry up the encryption course of and we have seen it carried out by BlackMatter, DarkSide and LockBit 2.0 ransomware,” Mark Loman, Sophos director of engineering, stated in a press release. “What units LockFile aside is that, not like the others, it does not encrypt the primary few blocks. As a substitute, LockFile encrypts each different 16 bytes of a doc.”
“Because of this a file akin to a textual content doc stays partially readable and appears statistically like the unique. This trick will be profitable towards ransomware safety software program that depends on inspecting content material utilizing statistical evaluation to detect encryption,” Loman added.
Sophos’ evaluation of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.
As soon as deposited, the malware additionally takes steps to terminate crucial processes related to virtualization software program and databases through the Home windows Administration Interface (WMI), earlier than continuing to encrypt crucial information and objects, and show a ransomware observe that bears stylistic similarities with that of LockBit 2.0.
The ransom observe additionally urges the sufferer to contact a particular e-mail deal with “email@example.com,” which Sophos suspects could possibly be a derogatory reference to a competing ransomware group referred to as Conti.
What’s extra, the ransomware deletes itself from the system submit profitable encryption of all of the paperwork on the machine, which means that “there is no such thing as a ransomware binary for incident responders or antivirus software program to search out or clear up.”
“The message right here for defenders is that the cyberthreat panorama by no means stands nonetheless, and adversaries will shortly seize each attainable alternative or instrument to launch a profitable assault,” Loman stated.
The disclosure comes because the U.S. Federal Bureau of Investigation (FBI) launched a Flash report detailing the ways of a brand new Ransomware-as-a-Service (RaaS) outfit often known as Hive, consisting of quite a few actors who’re utilizing a number of mechanisms to compromise enterprise networks, exfiltrate information and encrypt information on the networks, and try to gather a ransom in change for entry to the decryption software program.