Security News > 2021 > August > LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
A new ransomware family that emerged last month comes with its own bag of tricks to bypass ransomware protection by leveraging a novel technique called "Intermittent encryption."
Called LockFile, the operators of the ransomware have been found exploiting recently disclosed flaws such as ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware that scrambles only every alternate 16 bytes of a file, thereby giving it the ability to evade ransomware defences.
"Partial encryption is generally used by ransomware operators to speed up the encryption process and we've seen it implemented by BlackMatter, DarkSide and LockBit 2.0 ransomware," Mark Loman, Sophos director of engineering, said in a statement.
"This means that a file such as a text document remains partially readable and looks statistically like the original. This trick can be successful against ransomware protection software that relies on inspecting content using statistical analysis to detect encryption," Loman added.
Once deposited, the malware also takes steps to terminate critical processes associated with virtualization software and databases via the Windows Management Interface, before proceeding to encrypt critical files and objects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.
What's more, the ransomware deletes itself from the system post successful encryption of all the documents on the machine, meaning that "There is no ransomware binary for incident responders or antivirus software to find or clean up."