[MART] - Daily Diary #338 - LockFile Ransomware Encryption Technique

CTAS-MAT ctas-mat at appgate.com
Tue Aug 31 21:02:01 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

08/31/2021 - Diary entry #338

LockFile Ransomware is a new Windows Ransomware strain that emerged last month. First covered in our Daily Diary #331, samples from this ransomware have been found exploiting unpatched ProxyShell flaws using a technique called PetitPotam.

LockFile implements a new technique when encrypting files. Instead of encrypting the entire file, it only encrypts every other 16 bytes. The result is a partially readable document that can bypass protection technologies like "chi-squared (chiĀ²) analysis", that supposedly detect encrypted documents. Other ransomware families, like LockBit and Darkside, also implements partial encryption, encrypting only the first blocks of the file, but they do that to increase performance, allowing the ransomware to spend less time encrypting a single file, and are not enough to bypass this kind of analysis algorithm.

Curiously, the ransom note visual is very similar to LockBit 2.0, but the only available forms of contact are e-mail and TOX (A P2P encrypted communication software). The ransom note also contains a link to a website on the onion network for the ransom payment. So far, nothing shows that the group is operating in the double-extortion model, as they make no claims that data was stolen and no wall-of-shame website has been found yet.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Duarte Domingues
Security Researcher

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 19 98840 2509

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210831/5695346b/attachment.htm>

More information about the MART mailing list