A brand new ransomware household that emerged final month comes with its personal bag of tips to bypass ransomware safety by leveraging a novel approach known as “intermittent encryption.”
Known as LockFile, the operators of the ransomware have been discovered exploiting just lately disclosed flaws resembling ProxyShell and PetitPotam to compromise Home windows servers and deploy file-encrypting malware that scrambles solely each alternate 16 bytes of a file, thereby giving it the flexibility to evade ransomware defences.
“Partial encryption is mostly utilized by ransomware operators to hurry up the encryption course of and we have seen it applied by BlackMatter, DarkSide and LockBit 2.0 ransomware,” Mark Loman, Sophos director of engineering, stated in an announcement. “What units LockFile aside is that, not like the others, it would not encrypt the primary few blocks. As a substitute, LockFile encrypts each different 16 bytes of a doc.”
“Because of this a file resembling a textual content doc stays partially readable and appears statistically like the unique. This trick will be profitable in opposition to ransomware safety software program that depends on inspecting content material utilizing statistical evaluation to detect encryption,” Loman added.
Sophos’ evaluation of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.
As soon as deposited, the malware additionally takes steps to terminate crucial processes related to virtualization software program and databases through the Home windows Administration Interface (WMI), earlier than continuing to encrypt crucial recordsdata and objects, and show a ransomware observe that bears stylistic similarities with that of LockBit 2.0.
The ransom observe additionally urges the sufferer to contact a particular e-mail tackle “firstname.lastname@example.org,” which Sophos suspects could possibly be a derogatory reference to a competing ransomware group known as Conti.
What’s extra, the ransomware deletes itself from the system put up profitable encryption of all of the paperwork on the machine, which means that “there isn’t a ransomware binary for incident responders or antivirus software program to seek out or clear up.”
“The message right here for defenders is that the cyberthreat panorama by no means stands nonetheless, and adversaries will shortly seize each doable alternative or instrument to launch a profitable assault,” Loman stated.
The disclosure comes because the U.S. Federal Bureau of Investigation (FBI) launched a Flash report detailing the techniques of a brand new Ransomware-as-a-Service (RaaS) outfit referred to as Hive, consisting of a lot of actors who’re utilizing a number of mechanisms to compromise enterprise networks, exfiltrate knowledge and encrypt knowledge on the networks, and try to gather a ransom in change for entry to the decryption software program.