The ProxyShell Microsoft Exchange vulnerabilities have seen a novel ransomware emerging. The threat has been dubbed LockFile and uses a unique ‘intermittent encryption’ method as a way to evade detection, as well as tactics adopted from other ransomware gangs.
Researchers discovered that LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because an encrypted document looks very similar to the unencrypted original.
The ransomware exploits unpatched ProxyShell flaws, before using a PetitPotam NTLM relay attack to seize control of a victim’s domain. This type of attack allows a cyber criminal to use Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results to trick the server into believing the attacker has a legitimate right to access it.
Other tactics, such as forgoing the need to connect to a command-and-control center to communicate, were put in place in order to hide its nefarious activities.
The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualisation software and databases. Terminating these processes ensures that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.
LockFile renames encrypted documents to lower case and adds a .lockfile file extension, and also includes a HTML Application (HTA) ransom note. In its ransom note, the LockFile adversary asks victims to contact a specific e-mail address, before adding that the domain name appears to refer to the Conti Gang, a still-active ransomware group.
The feature that differentiates LockFile from its competitors is the unique way it employs this type of encryption, which has not been observed by a ransomware before. It doesn’t encrypt the first few blocks, instead LockFile encrypts every other 16 bytes of a document. This means that a text document remains partially readable.
Once it has encrypted all the documents on a machine, LockFile disappears without a trace, deleting itself with a PING command. This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up.
Neuways advises users to remain on top of their phishing awareness. Training can help businesses to stay one step ahead of cyber criminals, by ensuring that the latest cyber threats are well known to as many people as possible, and that threat actors and their cyber attacks can be stopped.