Chris Swagler | September 9th, 2021

lockfile ransomware

Last month, a new ransomware strain called, LockFile, appeared using its own creative technique called “intermittent encryption” to bypass ransomware protection. LockFile operators have been breaching Windows servers by exploiting disclosed vulnerabilities including ProxyShell and PetitPotam and evading ransomware defense by using a file-encrypting malware to scramble every alternate 16 bytes of a file.

Generally, ransomware operators would speed up the encryption process by implementing partial encryption which has been used by other ransomware groups including BlackMatter, DarkSide and LockBit 2.0. However, LockFile encrypts every other 16 bytes of a document instead of encrypting the first few blocks which can make any file partially readable and look identical to the original. This technique would allow threat actors to evade any ransomware protection software that uses statistical analysis to detect encryption by inspecting the content.

Once the malware is installed, it will use the Windows Management Interface (WMI) to terminate critical processes related to virtualization software and databases before encrypting valuable files and data. LockFile’s ransomware note, like LockBit 2.0, urges victims to contact “[email protected]”, which could be a reference to Conti, another active ransomware group. After encrypting all the documents, the ransomware will delete itself from the network, leaving no binary code for incident responders or antivirus software to detect or remove.

At SpearTip, we harp on the fact that antivirus software itself is not enough to protect your company from threats. LockFile ransomware is a prime example of why we think it is vital to have a human response to every threat that arises. Our Security Operations Center is staffed 24/7 with certified engineers who are actively monitoring networks at every moment.

Although, there is still a benefit to implementing technology to stop cyber threats. SpearTip’s Security Operations Center as a Service (SOCaaS) combines the necessary human response with ShadowSpear®, our endpoint detection and response tool, to add another layer of continuous protection from threat actors looking to harm your organization.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.