Cyber criminals, always a clever lot, have found a new way to evade detection when deploying malware.
It’s known as “intermittent encryption” and researchers from Sophos recently discovered Lockfile encrypts alternate bundles of 16 bytes in a document to stay hidden. This novel approach helps the ransomware to avoid triggering a red flag because the new encryption method looks statistically very similar to the unencrypted original.
“They don’t encrypt entire files, they do 16 bytes and then skip 16 bytes. This messes with g-squared process,” says Mark Loman, Director, Engineering, for Next-Gen Technologies at Sophos.
This is the first time that Sophos researchers have seen this approach used in ransomware.
LockFile first emerged in July, following the April discovery of the ProxyShell vulnerabilities in Microsoft Exchange servers. LockFile ransomware appears to exploit the Proxyshell vulnerabilities to attack targets with unpatched, on premises Microsoft Exchange servers. The ransomware uses memory mapped input/output (I/O) to encrypt a file, which allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.
“They make efficient use of all the optimizations that the operating system has built in, and they leverage these two to encrypt it and to attack your system and data,” says Loman.
Because the ransomware doesn’t need to connect to a command-and-control center to communicate, it is another way it stays under the radar. Researchers have also discovered that LockFile renames encrypted documents to lower case and adds a .lockfile file extension, and its HTA ransom note looks very similar to that of LockBit 2.0.
How to Protect Yourself
With such small odds of being able to detect this particular kind of ransomware, what kind of strategic and tactical measure should organizations put in place? Loman says while the malware is using a novel technique, the prevention advice is not new.
“You still need a multilayered approach to protect yourself,” he says.
That multilayer approach should include close monitoring of what is happening on your systems and full asset management for visibility, because the adversary will try and target an unprotected machine. Loman also suggests security teams get proactive and hunt for malicious activity, rather than waiting for it to reveal itself. He suggests assigning one or two people that monitor the log ins and take appropriate action before ransomware strikes.
“The ransomware epidemic has become a big problem. Everyone says you need backups. But you need to store them offline because attackers will hunt for them online and destroy before they encrypt. You need to be prepared for how you are going to defend against these as a business. How prepared you are will determine how well it goes for you if you are attacked.”
Learn more about multilayered endpoint protection against ransomware by visiting Sophos.com.