LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection
In July, researchers at Sophos discovered a new emerging threat in July that exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems. The ransomware is referred to as LockFile and uses a unique intermittent encryption method as a means of evading detection. The ransomware gans also adopts tactics from previous threat groups. LockFile ransomware encrypts every 16 bytes of a file, meaning that it goes unnoticed by some ransomware protection solutions. The encrypted document looks similar to the unencrypted original due to the ransomware’s ability to encrypt every 16bytes.
Sophos researchers released a report on LockFile, which was published last week, revealing that the ransomware first exploits unpatched Microsoft ProxyShell flaws. The ransomware then uses a PetitPotam NTLM to gain control of a victim’s domain. The threat actor also uses Microsoft’s Encrypting File System Remote Protocol to connect to a server and hijack the authentication session. The results are manipulated so that the server believes the attacker has a right to access it, according to the Sophos report.