Security Affairs
U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|U.S. Government Agency Paid $1M to Data Extortion Group Kairos|FBI: TeamPCP Compromised Dev Tools to Steal Cloud Credentials|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

LockFile Ransomware uses a new intermittent encryption technique

Recently emerged LockFile ransomware family LockFile leverages a novel technique called intermittent encryption to speed up encryption. LockFile ransomware gang started its operations last month, recently it was spotted targeting Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. The popular security expert Kevin Beaumont was one of the first researchers to report that the LockFile operators are using the […]

lockfile fig11

Recently emerged LockFile ransomware family LockFile leverages a novel technique called intermittent encryption to speed up encryption.

LockFile ransomware gang started its operations last month, recently it was spotted targeting Microsoft Exchange servers using the recently disclosed ProxyShell vulnerabilities. The popular security expert Kevin Beaumont was one of the first researchers to report that the LockFile operators are using the Microsoft Exchange ProxyShell and the Windows PetitPotam vulnerabilities to take over Windows domains.

Sophos researchers discovered that the group is now leveraging a new technique called “intermittent encryption” to speed up the encryption process.

The operators behind LockFile ransomware encrypt alternate blocks of 16 bytes in a document to evade detection. This is the first time that Sophos experts have seen this approach used in a ransomware attack.

“Partial encryption is generally used by ransomware operators to speed up the encryption process and we’ve seen BlackMatter, DarkSide and LockBit 2.0 ransomware implement this technique,” said Mark Loman, director of engineering at Sophos. “What sets LockFile apart is that, unlike the others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts every other 16 bytes of a document. This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware detection software that relies on inspecting content using statistical analysis to detect encryption.”

Sophos experts spotted the new technique while analyzing a LockFile sample (SHA-256 hash: bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce) that was uploaded to VirusTotal on August 22, 2021.

The ransomware leverages Windows Management Interface (WMI) to terminate critical processes associated with virtualization software and databases to remove any locks that could interfere with file encryption.

The ransom note is an HTML Application (HTA) file (e.g., ‘LOCKFILE-README-[hostname]-[id].hta’) that is dropped in the root of the drive. The HTA ransom note used by LockFile closely resembles the one used by LockBit 2.0 ransomware:

lockfile fig11

The victims of the Lockfile ransomware gang are in the manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors.

The ransom note used by the Lockfile gang is similar to the one used by the LockBit ransomware operators and reference the Conti gang in the email address used (contact@contipauper[.]com).

Once encrypted the files, the ransomware will append the .lockfile extension to the encrypted file’s names and deletes ransomware binary from the system.

“Once it has encrypted all the documents on the machine, the ransomware deletes itself with the following command:

cmd /c ping 127.0.0.1 -n 5 && del “C:\Users\Mark\Desktop\LockFile.exe” && exit

The PING command sends five ICMP messages to the localhost (i.e., itself), and this is simply intended as a five second sleep to allow the ransomware process to close itself before executing the DEL command to delete the ransomware binary.” states Sophos. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Lockfile ransomware)

[adrotate banner=”5″]

[adrotate banner=”13″]