Researchers from Sophos had analyzed the LockFile Ransomware and revealed that it uses unique encryption technique to bypass ransomware protection solutions. LockFile ransomware , which is named for its exploitation of Microsoft Exchange server ProxyShell vulnerabilities atleast from July 2021 has also started exploiting PetitPotam NTLM relay vulnerabilities.
Sophos has revealed that the malware is analyzed based on the sample received from the Virustotal which is dual packed with UPX packer.
“The notable feature of this ransomware is not the fact that it implements partial encryption. LockBit 2.0, DarkSide and BlackMatter ransomware, for example, are all known to encrypt only part of the documents they attack (in their case the first 4,096 bytes, 512 KB and 1 MB respectively,) just to finish the encryption stage of the attack faster.” reads the blogpost.
One of the interesting feature about this ransomware is that it doesn’t encrypt the first few blocks of file as like traditional ransomware, instead it encrypts every 16bytes of a document which makes it partially readable.
Below animated image compares the original to encrypted document.
Once all the encryption process is completed on the victim machine, the ransomware deletes itself using below command.
cmd /c ping 127.0.0.1 -n 5 && del “C:\Users\Mark\Desktop\LockFile.exe” && exit
“The PING command sends five ICMP messages to the localhost (i.e., itself), and this is simply intended as a five second sleep to allow the ransomware process to close itself before executing the DEL command to delete the ransomware binary. This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.” reads the blogpost.