Quote:Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs.
Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because “an encrypted document looks statistically very similar to the unencrypted original,” Mark Loman, director, engineering, for next-gen technologies at Sophos, wrote in a report on LockFile published last week.
“We haven’t seen intermittent encryption used before in ransomware attacks,” he wrote.
The ransomware first exploits unpatched ProxyShell flaws and then uses what’s called a PetitPotam NTLM relay attack to seize control of a victim’s domain, researchers explained. In this type of attack, a threat actor uses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results such that the server then believes the attacker has a legitimate right to access it, Sophos researchers described in an earlier report.
LockFile also shares some attributes of previous ransomware as well as other tactics—such as forgoing the need to connect to a command-and-control center to communicate–to hide its nefarious activities, researchers found.
“Like WastedLocker and Maze ransomware, LockFile ransomware uses memory mapped input/output (I/O) to encrypt a file,” Loman wrote in the report. “This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”
Read more: LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
![[-]](https://www.geeks.fyi/images/collapse.png)
