Sneaky ransomware evades detection with intermittent encryption
Posted by: GuidePoint Security
Published 9/8/2021, 9:00am
The LockFile ransomware is the latest threat creating misery for organizations. Unfortunately, researchers recently discovered some LockFile tricks that make the attacks more difficult to detect.
LockFile appeared in July. (It is the ransomware of choice used in the ongoing Microsoft ProxyShell attacks we wrote about last week.) Using a technique known as ‘intermittent encryption,’ the ransomware encrypts certain sections of data inside a file instead of the entirety of the file. From a threat actor’s perspective, the entire file does not need to be encrypted. It only needs to be damaged enough to make it unusable for the owner. This technique speeds up the data encryption process and deceives any ransomware protection system that uses statistical analysis to look for active, unauthorized file encryption behaviors.
LockFile also applies several other detection evasion techniques, such as using malformed executable files and leveraging the Windows Management Interface (WMI) to scan and kill key business processes to make it look like activities have been terminated by the system and not the ransomware. LockFile also maps files to the system’s RAM memory before corrupting the data and then uses the Windows System process to commit the changes. Again, this makes the malicious activities appear as if they are being performed by the operating system and not a malicious process.
Next Steps
Microsoft has released security updates and guidance for the vulnerabilities currently being leveraged by the LockFile ransomware (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207). Both security professionals and Microsoft are urging businesses to patch systems immediately. The Cybersecurity and Infrastructure Security Agency (CISA) has also issued warnings about the exploitation of the ProxyShell vulnerabilities. Organizations that have implemented the Microsoft patches issued in May and July are protected from this attack.
GuidePoint Security