Security News > 2021 > August > LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

The threat, dubbed LockFile, uses a unique "Intermittent encryption" method as a way to evade detection as well as adopting tactics from previous ransomware gangs.

Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don't notice it because "An encrypted document looks statistically very similar to the unencrypted original," Mark Loman, director, engineering, for next-gen technologies at Sophos, wrote in a report on LockFile published last week.

"We haven't seen intermittent encryption used before in ransomware attacks," he wrote.

"Like WastedLocker and Maze ransomware, LockFile ransomware uses memory mapped input/output to encrypt a file," Loman wrote in the report.

Researchers analyzed LockFile using sample of the ransomware with the SHA-256 hash "Bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce" that they discovered on VirusTotal.

There they found the ransomware's main function, the first part of which initializes a crypto library that LockFile likely uses for its encryption functions, they said.

News URL

https://threatpost.com/lockfile-ransomware-avoid-detection/169042/