29th August 2021, Kathmandu
An incipient ransomware family that emerged last month comes with its own bag of artifices to bypass ransomware aegis by leveraging a novel technique called “intermittent encryption.”
Called LockFile, the operators of the ransomware have been found exploiting recently disclosed imperfections such as ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware that scrambles only every alternate 16 bytes of a file, thereby giving it the faculty to eschew ransomware defenses.
“Partial encryption is generally utilized by ransomware operators to expedite the encryption process and we’ve visually perceived it implemented by BlackMatter, DarkSide, and LockBit 2.0 ransomware,” Mark Loman, Sophos director of engineering, verbally expressed in a verbalization. “What sets LockFile apart is that, unlike the others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document.”
“This denotes that a file such as a text document remains partially readable and looks statistically like the pristine. This artifice can be prosperous against ransomware auspice software that relies on inspecting content utilizing the statistical analysis to detect encryption,” Loman integrated.
Sophos’ analysis of LockFile emanates from an artifact that was uploaded to VirusTotal on August 22, 2021.
Once deposited, the malware withal takes steps to terminate critical processes associated with virtualization software and databases via the Windows Management Interface (WMI), afore proceeding to encrypt critical files and objects, and exhibit a ransomware note that bears stylistic homogeneous attributes with that of LockBit 2.0.
The ransom note withal urges the victim to contact a concrete electronic mail address “contact@contipauper.com,” which Sophos suspects could be a derogatory reference to a competing ransomware group called Conti.
What’s more, the ransomware expunges itself from the system post prosperous encryption of all the documents on the machine, denoting that “there is no ransomware binary for incident responders or antivirus software to find or emaculate.”
“The message here for advocators is that the cyberthreat landscape never stands still, and adversaries will expeditiously seize every possible opportunity or implement to launch a prosperous attack,” Loman verbally expressed.
The disclosure comes as the U.S. Federal Bureau of Investigation (FBI) relinquished a Flash report detailing the tactics of an incipient Ransomware-as-a-Accommodation (RaaS) outfit kenned as Hive, consisting of a number of actors who are utilizing multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks, and endeavor to amass a ransom in exchange for access to the decryption software.
