LockFile Ransomware

  • Published: Tuesday, Aug. 31, 2021

There's a new ransomware family on the criminal block with a new trick up its sleeve to evade ransomware defenses. LockFile uses intermittent encryption by scrambling alternate 16 bytes of a file.

Other ransomware crooks use a method that will encrypt the first few blocks. The LockFile technique will let a text document remain partially readable and therefore fool many ransomware detection systems into thinking a file is intact.

LockFile will terminate critical processes through the Windows Management Interface and then proceed to encrypt files. Then it will deliver the ransom note. After that, LockFile will delete itself from the system.

First seen July 20, 2021, this variant gained access to victims' networks through Microsoft Exchange Servers and then used the PetitPotam vulnerability to gain further access.

Ensure that the necessary patches are in place to avoid falling victim to this devastating activity. CVE-2021-36942

ProxyShell security patches have shipped with May and July Windows security updates (CVE-2021-31207, CVE-2021-34473, and CVE-2021-34523).

Resources