The LockFile ransomware emerged in July 2021. The ransomware has been exploiting the ProxyShell vulnerabilities in Microsoft Exchange servers in its attacks. The flaws are deployed “to breach targets with unpatched, on premises Microsoft Exchange servers, followed by a PetitPotam NTLM relay attack to seize control of the domain,” according to Sophos’ Mark Loman.
What’s mostly notable about this ransomware, however, is its encryption. Intermittent encryption hasn’t been used by any known ransomware so far, and it has been chosen by the threat actors for evasion purposes.
LockFile Ransomware Intermittent Encryption Explained
This particular feature is what sets LockFile apart from other ransomware families. How does intermittent encryption work? The cryptovirus encrypts every 16 bytes of a file in an attempt to evade detection by ransomware protection solutions. Apparently, a document encrypted this way looks very similar to the encrypted original.
Evasion is possible in cases when anti-ransomware tools use the so-called “chi-squared (chi^2)” analysis, altering the statistical way this analysis is done and thus confusing it. What does this mean?
“An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061. If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811,” Loman explained.
Once all files are encrypted on the targeted system, the ransomware evaporates leaving no trace, deleting itself with a PING command. In other words, LockFile doesn’t leave a ransomware binary behind thus preventing incident responders and antivirus solutions from finding it.
It is also noteworthy that the ransomware doesn’t need to connect to a command-and-control server, making its under-the-radar behavior even more sophisticated. “This means that it can encrypt data on machines that do not have internet access,” Loman concluded.