Researchers from Sophos had analyzed the LockFile Ransomware and revealed that it uses unique encryption technique to bypass ransomware protection solutions. LockFile ransomware , which is named for its exploitation of Microsoft Exchange server ProxyShell vulnerabilities atleast from July 2021 has also started exploiting PetitPotam NTLM relay vulnerabilities.

Sophos has revealed that the malware is analyzed based on the sample received from the Virustotal which is dual packed with UPX packer.

“The notable feature of this ransomware is not the fact that it implements partial encryption. LockBit 2.0, DarkSide and BlackMatter ransomware, for example, are all known to encrypt only part of the documents they attack (in their case the first 4,096 bytes, 512 KB and 1 MB respectively,) just to finish the encryption stage of the attack faster.” reads the blogpost.

One of the interesting feature about this ransomware is that it doesn’t encrypt the first few blocks of file as like traditional ransomware, instead it encrypts every 16bytes of a document which makes it partially readable.

Below animated image compares the original to encrypted document.

Source: Sophos

Once all the encryption process is completed on the victim machine, the ransomware deletes itself using below command.

cmd /c ping -n 5 && del “C:\Users\Mark\Desktop\LockFile.exe” && exit

“The PING command sends five ICMP messages to the localhost (i.e., itself), and this is simply intended as a five second sleep to allow the ransomware process to close itself before executing the DEL command to delete the ransomware binary. This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.” reads the blogpost.

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s