CyberNews Briefs

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

In July, researchers at Sophos discovered a new emerging threat in July that exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems. The ransomware is referred to as LockFile and uses a unique intermittent encryption method as a means of evading detection. The ransomware gans also adopts tactics from previous threat groups. LockFile ransomware encrypts every 16 bytes of a file, meaning that it goes unnoticed by some ransomware protection solutions. The encrypted document looks similar to the unencrypted original due to the ransomware’s ability to encrypt every 16bytes.

Sophos researchers released a report on LockFile, which was published last week, revealing that the ransomware first exploits unpatched Microsoft ProxyShell flaws. The ransomware then uses a PetitPotam NTLM to gain control of a victim’s domain. The threat actor also uses Microsoft’s Encrypting File System Remote Protocol to connect to a server and hijack the authentication session. The results are manipulated so that the server believes the attacker has a right to access it, according to the Sophos report.

Read More: LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.