Last week we reported on the LockFile ransomware that is targeting Microsoft Exchange servers since July. This week, more information regarding the threat has emerged, providing fresh details into the level of the attacks.
Security researchers at Sophos say LockFile has been targeting vulnerable Microsoft Exchange servers by exploiting ProxyShell flaws in the platform. It uses an “intermittent encryption” attack to stay away from security tools.
Specifically, LockFile encrypts on every 16 bytes of a file, which means many anti-ransomware software services cannot detect it. In fact, Sophos points out says this method allows encrypted files to look similar to unencrypted documents.
“We haven't seen intermittent encryption used before in ransomware attacks,” Mark Loman, director, engineering for next-gen technologies for Sophos wrote.
Despite its novel attack method, LockFile does share some familiarities with other ransomware. For example, it does not need to access command-and-control to communicate and hide.
“Like WastedLocker and Maze ransomware, LockFile ransomware uses memory mapped input/output (I/O) to encrypt a file,” Loman wrote in the report. “This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”
It taps into Microsoft's Windows Management Interface (WMI) command line tool to terminate all processes. Next it moves to other critical processes to take control of a server.
“By leveraging WMI, the ransomware itself is not directly associated with the abrupt termination of these typical business critical processes,” Sophos adds. “Terminating these processes will ensure that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.”
Tip of the day: Is your system drive constantly full and you need to free up space regularly? Try Windows 10 Disk Cleanup in extended mode which goes far beyond the standard procedure. Our tutorial also shows you how to create a desktop shortcut to run this advanced method right from the desktop.