TechTogether Global is a leading provider of security updates and information
LockFile is a novelty used by cybergang to spread ransomware exploiting Windows ProxyShel vulnerabilities. It uses different avoidance techniques to trick protection systems, including intermittent encryption.
What is LockFile ransomware?
Appeared this year, LockFile ransomware is the new technique cybercriminals use to avoid detection by anti-malware solutions. It has spread more and more since July and affects many victims. The ransomware makes use of recent flaws ([Exchange Server and PetitPotam] and uses various tricks to make its detection more difficult. This is the case, for example, of “Intermittent encryption”, a technique discovered by Sophos experts. This formula encrypts a piece of data inside the file and accelerates its encryption.
Improved intermittent encryption
According to Sophos experts, intermittent encryption is an absolute novelty, which is why LockFile does not hesitate to revisit techniques that have already proven themselves. Unlike other ransomware such as BlackMatter, DarkSide, or LockBit 2.0, LockFile takes a different approach.
In the case of intermittent encryption, the data remains exposed. Ransomware only needs to encrypt part of the file to make it unusable by the user.
The LockFile procedure is to encrypt a file in part. This results in a series of encrypted and then unencrypted files every 16 bytes, making it possible to falsify the statistical analysis.
Avoidance techniques used by LockFile
Avoidance begins with its file. To thwart security solutions, the LockFile file has been designed to be both encapsulated and malformed. To do this, it is composed of a first section filled with zeros, followed by a second section containing coded data. Thanks to three functions located in the last position, the second section is decoded, putting them in the first section to run the code.
To unlock the locks of IT environments such as databases, virtual machines, or even configuration files, LockFile uses the Windows WMI management interface. It finds and removes essential processes associated with business applications, such as Hyper-V and VMware VMs, Oracle environments [VM Virtual Box, MTS Recovery Service, RDBMS kernel, TNS Listener], and SQL Server from Microsoft as well as the MySQL database.
To fool the protection systems, LockFile uses another trick. This time it is his modus operandi. Instead of directly modifying the file on disk, it first maps it to system RAM. Once the change is made, it uses the Windows system process to commit the changes to the disk. These actions then appear as input/output operations performed by the OS and are not considered a potentially suspicious process.