LockFile Ransomware Uses Encryption to Avoid Detection
It’s not surprising that ransomware operators were quick to take advantage of the ProxyShell vulnerabilities discovered in Microsoft Exchange servers last April.
But a new group, the LockFile ransomware family, has been particularly adept at exploiting the ProxyShell flaws on unpatched, on-premises servers following their exploitation with PetitPotam NTLM relay attacks to gain control of a domain.
A hallmark of LockFile ransomware is intermittent encryption, which encrypts every 16 bytes of a file. That approach is a first for Sophos researchers whose analysis of LockFile was detailed in a blog post by Mark Loman, the security firm’s director of engineering for next-gen technologies. By using intermittent encryption, the ransomware can “evade detection by some ransomware protection solutions because an encrypted document looks statistically very similar to the unencrypted original,” he wrote.
Loman explained that “An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061. If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334—which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811.”
That observation comes to the dismay of security pros. “Every time we come up with a defense against ransomware, attackers manage to counteract it in some way,” said Saryu Nayyar, CEO at Gurucul. “In this case, the LockFile ransomware just encrypts small portions of files, enough to render them unreadable, but not enough to make it immediately apparent that there’s a problem.”
The novel ransomware also follows in the footsteps of other popular scourges like Maze and WastedLocker by encrypting files using memory-mapped input/output (I/O). “This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot,” Loman said.
What’s more, the ransomware can operate under the radar because it does not need to connect to a command and control center to communicate, the researchers noted, adding that the ransomware closely resembles LockBit 2.0 HTA ransom notes. It also renames encrypted documents using lower case letters and tacks on a .lockfile file extension.
“The LockFile Ransomware is a clever design in the cat-and-mouse game of ransomware defense,” said HayStack Solutions CEO Doug Britton. “The analysis of defense measures with eloquent bypass and ‘remove all trace’ efforts show how hackers work to remain a step ahead of protections by specifically exploiting design.”
LockFile has other tricks up its sleeves to evade detection as well, including self-deletion via a PING command, which makes analysis difficult.
“This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up,” Loman wrote.
“This makes it critical to detect attacks that change files as quickly as possible. Knowing when there is unauthorized access is the only way of identifying this type of ransomware,” said Nayyar. “You need analytics that are evaluated in real time in order to determine that there is a problem before it becomes irreversible.”
Noting that “with critical systems and information at stake this highlights the overwhelming need to scale critical cyber defenses, which includes sharply increasing the number of qualified cyber leaders in our organizations,” Britton said, the industry needs “to dramatically increase our pipeline of talent entering and expanding the cyber workforce. We have the tools to find cyber talent regardless of background.”
Britton added, “We need to collectively take action to leverage these tools and accelerate the talent development needed to address this latest evolution of ransomware attack as well as the issues yet to be discovered.”
