The LockFile ransomware family has made an impression in the relatively short amount of time it’s been around. The malware garnered a lot of attention over the past several months after being detected exploiting high-profile Microsoft vulnerabilities dubbed ProxyShell and PetitPortam.
Now security researchers with Sophos have found that the LockFile operators are using novel techniques to avoid detection. Among the methods is what is known as intermittent encryption, which helps the ransomware evade detection by making an encrypted document look very similar to the unencrypted original.
Intermittent encryption is not unusual, according to a blog post by Mark Loman, director of engineering at Sophos. Such ransomware as LockBit 2.0, DarkSide and BlackMatter all use the technique to encrypt part of the documents they target – in these cases the first 4,096 bytes, 512 KB and 1 MB, respectively. This enables them to complete the encryption stage of the attack more quickly.
LockFile’s Intermittent Encryption
“What sets LockFile apart is that it doesn’t encrypt the first few blocks,” Loman wrote. “Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable. There is an intriguing advantage to taking this approach: intermittent encryption skews statistical analysis and that confuses some protection technologies.”
Sophos researchers created graphical representations to show how the same text looks when encrypted by DarkSide ransomware and by LockFile (see image below). In the representations, the text file encrypted by LockFile looks very similar to the original text, with Loman writing that “this trick will be successful against ransomware protection software that performs content inspection with statistical analysis to detect encryption.”
Memory Mapped I/O
LockFile also uses a method called memory mapped input/output (I/O) to encrypt a file. The technique – which is similar to what was used by the Maze ransomware and less frequently by WastedLocker – enables the ransomware to transparently encrypt cached documents in memory. This forces the operating system to write the encrypted document, with little disk I/O that detection technologies normally would see.
“By leveraging memory mapped I/O, ransomware can more quickly access documents that were cached and let the Windows System process perform the write action,” he wrote. “By letting the System process perform the WriteFile operation, the actual encrypted bytes are written by the operating system itself – disjoined from the actual malicious process. … This trick alone can be successful in evading detection by some behavior-based anti-ransomware solutions.”
The use of memory mapped I/O is not common among ransomware families, though it has been done, Loman wrote.
No C2 Communication
In addition, the LockFile ransomware doesn’t need to contact a command-and-control (C2) server to communicate, yet another way it seeks to work undetected. It also means that it can encrypt data on systems that don’t have internet access.
Furthermore, the ransomware renames encrypted documents to lower case and adds a .lockfile extension, and its HTA ransom note looks similar to the one used by LockBit 2.
Finally, once all the files on a machine have been encrypted, LockFile deletes itself by issuing a command, which sends five IMP messages to the local host – itself. This enables a five-second sleep, giving the ransomware time to close itself before executing the command to delete the ransomware binary.
“This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up,” Loman wrote.
Sophos researchers based their report on a sample of the ransomware that was uploaded to VirusTotal.
Anti-Detection Efforts Evolve
Anti-detection techniques are part of the larger cat-and-mouse game that cybersecurity professionals and bad actors play. With every advancement made by the security experts, cybercriminals try to work their way around it.
“Cybersecurity has always been akin to a game of chess between humans,” Oliver Tavakoli, chief technology officer with cybersecurity vendor Vectra, told eSecurity Planet. “With the high stakes involved today and the large windfalls possible, attackers will leave no stone unturned even if it gives them only a small and transient advantage. If leveraged appropriately, that advantage may still be worth hundreds of thousands of dollars.”
According to Sean Nikkel, senior cyberthreat intel analyst at Digital Shadows, a digital risk solutions vendor, it’s not unusual to see malware developers adjust to the market with new evasion techniques.
“Over the years, these developers continue to refine and adapt their wares to their own threat landscape,” Nikkel told eSecurity Planet. “In this cyber arms race, it’s realistically possible that the bad guys also have their intel on security tools and deploy countermeasures to be more effective in their attacks. Security companies will develop products to foil these countermeasures. Until law enforcement can take down these groups at large, it’ll continue to be a cat-and-mouse, tit-for-tat game, so long as it stays profitable for cybercriminals.”
Multiple Evasion Methods in Single Package
In the case of LockFile, the ransomware uses a number of evasion techniques that have been found in a number of other ransomware cases, he said.
“The random bits of encryption certainly are interesting, as Sophos found, because compared to other encryption techniques, a file could look just as modified as someone going back into a document to change a paragraph, statistically speaking,” Nikkel said.
He noted that while previous malware had used elements of this attack – i.e., using native machine processes to execute, deleting copies of itself, not beaconing to command-and-control infrastructure – “it’s interesting to see all of these features in one package. It puts the onus on defenders to also investigate more system processes that are performing this kind of behavior, which potentially means an increase in false positives and time to investigate.”
The challenge for enterprises is to stay on top of the security landscape and adapt accordingly, Chris Morales, CISO for cybersecurity firm Netenrich, told eSecurity Planet.
“Organizations need alignment with the reality of their attack surface,” Morales said. “Watching the endpoint is useless if an attack performs account takeover in Office365 … Alignment occurs by consistently evaluating detection-and-response capabilities as well as current environment state by using threat modeling and adversary emulation techniques.”
Companies need to “operationalize risk management,” he said. “Today risk management practices are qualitative and occur only a few times a year, if ever. Risk operationalization means continuous attack surface analysis to understand the current state of the environment and capabilities.”
Morales said businesses need to “effectively understand the time to compromise before an attack happens.”
Further reading: How Zero Trust Security Can Protect Against Ransomware