Ransomware uses encryption as cover

A method never used before in ransomware attacks is the new LockFile threat’s weapon to claim more victims. The so-called intermittent encryption revealed by Sophos researchers appears to exploit ProxyShell vulnerabilities in Microsoft Exchange servers to breach systems that have not yet patched those flaws.

The tactic used by LockFile ransomware is based on encrypting only 16-byte packets within a file instead of its full content, which makes the encrypted document statistically very similar to the original and helps avoid detection of the intrusion by some protection solutions.

For Sophos, the striking feature of this ransomware is not that it does this partial encryption. The LockBit 2.0, DarkSide, and BlackMatter groups, for example, are known to encrypt only part of the documents in order to complete the encryption process faster. What sets LockFile apart is that it does not encrypt the first few blocks. Instead, it encrypts the next 16 bytes of the document, leaving it partially readable.

The advantage to taking this approach is that intermittent encryption distorts statistical analysis and confounds some protection technologies. For example, Pearson’s chi^2 test and its variants are used by some ransomware solutions to determine if there is a statistically significant difference between samples. When comparing LockFile and DarkSide’s action on a 481 KB text file, with an original chi^2 score of 3850061, it can be seen that the document encrypted by DarkSide now receives a score of 334, a clear indication that the file was encrypted. When the same document is encrypted by LockFile ransomware, the recorded score remains significantly high (1789811), eventually dispelling suspicions of intrusion.

The name of the encrypted documents uses lowercase characters and a .lockfile extension. Instead of inserting a ransom note in TXT format, LockFile uses an HTML Application (HTA) file, much like the one used by the LockBit 2.0 ransomware, according to Sophos researchers. The warning asks victims to contact the email address contact@contipauper.com. The domain, created on August 16, 2021, maybe a derogatory reference to a competing ransomware group called Conti.

LockFile also uses memory-mapped input/output (I/O) to encrypt cached files and write them with minimal disk access-another means of evading detection techniques. By using this technique, ransomware can access documents more quickly to encrypt them and then let the operating system write them to the disk itself in a separate action from the malicious process itself. By applying just this trick, LockFile can avoid detection by some behavior-based anti-ransomware solutions.

Another way LockFile uses to make itself harder to identify comes from the fact that it does not need to connect to a command and control center. 

To spread, LockFile ransomware exploited a series of vulnerabilities in Microsoft Exchange servers known as ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). Even though patches for these flaws have been available since April and May, many organizations have yet to apply them to their servers, making them easy prey for ransomware attacks like LockFile’s.