Researchers discovered a novel ransomware emerging after the Proxy Shell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a means to evade detection as well as adopting tactics from previous ransomware gangs.
Researchers from Sophos discovered the emerging threat in July, which exploits the Proxy Shell vulnerabilities in Microsoft Exchange servers to attack systems.
Ransomware Protection
Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because “an encrypted document looks statistically very similar to the unencrypted original,” Mark Loman, Director, Engineering, for Next-Gen. Technologies at Sophos, wrote in a report on LockFile published last week.
“We haven’t seen intermittent encryption used before in ransomware attacks,” he wrote.
Petit Potam NTLM
The ransomware 1st exploits unpatched Proxy Shell flaws & then uses what’s called a Petit Potam NTLM relay attack to seize control of a victim’s domain, researchers explained.
In this type of attack, a threat player uses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, & manipulate the results such that the server then believes the attacker has a legitimate right to access it, Sophos researchers described in an earlier report.
Cached Documents
LockFile also shares some attributes of previous ransomware as well as other tactics—such as forgoing the need to connect to a command-&-control centre to communicate–to hide its bad activities, researchers found.
“Like WastedLocker & Maze ransomware, LockFile ransomware uses memory mapped input/output (I/O) to encrypt a file,” Loman wrote in the report. “This technique allows the ransomware to transparently encrypt cached documents in memory & causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”
3 Functions
Researchers analysed LockFile using sample of the ransomware with the SHA-256 hash “bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce” that they discovered on Virus Total. Upon opening, the sample appears to have only 3 functions & 3 sections.
The 1st section, named OPEN, contains no data – only zeroes, researchers stated. It’s the 2nd section, CLSE, that includes the sample’s 3 functions. However, rest of the data in the section is encoded code that is decoded later & placed in the “OPEN” section, which researchers examined in depth, they explained.
CLSE Section
“The entry() function is simple & calls FUN_1400d71c0():,” researchers wrote. “The FUN_1400d71c0() function decodes the data from the CLSE section & puts it in the OPEN section. It also resolves the necessary DLLs & functions.
Then it manipulates the IMAGE_SCN_CNT_UNINITIALIZED_DATA values & jumps to the code placed in the OPEN section.”
Researchers used WinDbg & .writemem to write the OPEN section to disk to analyse the code statically in Ghidra, an open-source reverse-engineering tool.
Main Function
There they found the ransomware’s main function, the first part of which initialises a crypto library that LockFile likely uses for its encryption functions, they outlined.
The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualisation software & databases, researchers observed.
Critical Processes
“By using WMI, the ransomware itself is not directly associated with the abrupt termination of these typical business critical processes,” they stated. “Terminating these processes will ensure that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.”
LockFile renames encrypted documents to lower case & adds a .lockfile file extension, & also includes an HTML Application (HTA) ransom note looks very similar to that of LockBit 2.0, researchers explained.
“In its ransom note, the LockFile adversary asks victims to contact a specific e-mail address: contact[@]contipauper.com,” they outlined, adding that the domain name—which seems to have been created on Aug. 16–appears to be a “derogatory reference” to the Conti Gang, a still-active & competing ransomware group.
Intermittent Encryption
The feature that most defines & differentiates LockFile from its competitors is not that it implements partial encryption per se — as LockBit 2.0, Dark Side and Black Matter ransomware all do this, according to researchers. What sets LockFile apart is the unique way it employs this type of encryption, which has not been observed by a ransomware before, Loman suggested.
“What sets LockFile apart is that it doesn’t encrypt the first few blocks,” he wrote. “Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable.”
The “intriguing advantage” to this approach is that it can elude some ransomware protection technologies that use what’s called “chi-squared (chi^2)” analysis, skewing the statistical way this analysis is done & thus confusing it.
PING Command
“An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061,” Loman explained. “If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811.”
Once it has encrypted all the documents on the machine, LockFile disappears without a trace, deleting itself with a PING command, researchers suggested. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up,” they concluded.
https://www.cybernewsgroup.co.uk/virtual-conference-september-2021/