September 22, 2023

A new ransomware family that emerged and comes with its own bag of tricks to bypass ransomware protection by leveraging a novel technique called “intermittent encryption.” dubbed LockFile, the operators of the ransomware have been found exploiting recently disclosed flaws such as ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware.

Partial encryption is used by ransomware operators to speed up the encryption process and seen it implemented by BlackMatter, DarkSide and LockBit 2.0 ransomware. Unlike others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document.

This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption.

Malware takes steps to terminate critical processes associated with virtualization software and databases via WMI, before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.

Ransom Note

The ransomware deletes itself from the system post successful encryption of all the documents on the machine.

The message here for defenders is that the cyberthreat landscape never stands still, and adversaries will quickly seize every possible opportunity or tool to launch a successful attack. Be Vigilant and cautious.

Tags:

Leave a Reply

You may have missed

T-Mobile and Data Breach tightly coupled

September 21, 2023

Cisco Acquires Splunk in a blockbuster deal

September 21, 2023

Atlassian BitBucket and Confluence Vulnerabilities

September 21, 2023

Snatch ransomware Dissection

September 21, 2023

Fortinet Fixes Vulnerabilities in FortiOS

September 20, 2023

Trend Micro Endpoint Vulnerability – CVE-2023-41179

September 20, 2023
%d bloggers like this: