LockFile uses Intermittent File Encryption to bypass Protection

LockFile ransomware is back with new tricks to bypass ransomware protection through a tactic called intermittent encryption.

The actors of the ransomware recently exploited flaws such as Proxyshell and PetitPotam in order to compromise Windows servers and deploy file-encrypting malware, scrambling every alternate 16 bytes of a file. This gives it the ability to evade defences.

Mark Loman, Sophos director of engineering, pointed out that partial encryption is used by operators to speed up the encryption process. Earlier it has been implemented by BlackMatter, DarkSide, and LockBit ransomware. He added that LockFile is a bit different as it doesn’t encrypt the first few blocks, instead it encrypts every other 16 bytes. With this, a file looks like the original and is partially readable.

He also added that such a trick could prove to be successful against ransomware protection software that depends on examining content through statistical analysis for encryption detection.

Once deployed, before proceeding to encrypt critical files and objects, the malware dismisses processes linked to virtualization software and databases via the Windows Management Interface (WMI) and displays a ransomware note similar to LockBit 2.0. It urges the target to contact an email address.

Also, after successful encryption of all documents, the ransomware deletes itself from the system. Loman also pointed out that this has a clear message for the defenders that the cyberthreat arena is always functioning, and the attacker will make use of every possibility to launch an attack.

The revelation is a result of the U.S. Federal Bureau of Investigation (FBI) Flash report release, highlighting the techniques of Hive, which is a new Ransomware-as-a-Service (RaaS) outfit. It consists of a number of actors who make use of various mechanisms to compromise networks, get hold of data and encrypt the data to get a ransom to access the decryption software.