New “LockFile” Ransomware Bypasses Security Protection Using Intermittent File Encryption
Threat Level Description
Threat Level: High – An attack is highly likely. Additional and sustainable protective security measures reflecting the broad nature of the threat combined with specific business and geographical vulnerabilities and judgments on acceptable risk.
We have observed that a new ransomware family with a set of methods that use “intermittent encryption” for getting beyond ransomware security, has been identified.
This ransomware, dubbed LockFile, exploits newly published holes, like ProxyShell and PetitPotam, to target Windows servers and spread file-encrypting malware that allows it to bypass ransomware defenses.
Ransomware operators commonly utilize partial encryption to speed up the encryption process. Such methods can be used to defeat ransomware protection software that uses statistical analysis to detect encryption by analyzing material. However “LockFile” is distinguished because it doesn’t encrypt the first few blocks, but encrypts every other 16 bytes of a document. This means that a file such as a text document remains partially readable and looks statistically like the original.
In addition, once installed, the malware uses the Windows Management Interface (WMI) to terminate critical services connected with virtualization software and databases, before encrypting critical files and objects and displaying a ransomware message that looks similar to LockBit 2.0’s.
Furthermore, after successfully encrypting all of the documents on the workstation, the ransomware deletes itself from the system, evading capture from incident responders and/or antivirus software.
- Microsoft Windows Systems
The guidelines below will help you protect against Ransomware and its associated security threats:
* Back up your data. The single biggest thing that will defeat ransomware is having a regularly updated backup.
* Consider enabling the “”””Show hidden file-extensions””””. One way that ransomware such as Cryptolocker frequently arrives is in a file that is named with the extension “.PDF.EXE”, counting on Window’s default behavior of hiding known file-extensions.
* Filter executable files in email. If your email gateway has the ability to filter files by extension, you may wish to deny mails sent with “.exe”, “”””.scr””””, “”””.bat”””” files, or to deny mails sent with files that have two file extensions, the last one being executable.
* Disable files running from AppData/LocalAppData folders. You can create rules within Windows or with Host Intrusion Prevention software, to disallow a particular, notable behavior used by ransomware, which is to run its executable from the App Data or Local App Data folders.
* Disable macros in Microsoft Office files. Most people may not be aware that Microsoft Office Files are like a file-system within a file system, which includes the ability to use a powerful scripting language to automate almost any action you could perform with a full executable file. By disabling macros in Office files, you deactivate the use of this scripting language.
* Do not open e-mail from unknown sources. Be suspicious of emails purporting to be from financial institution, government department, or other agency requesting account information, account verification or banking access credentials sush as usernames, passwords, PIN codes, and similar information. Opening file attachments od clicking on web links in suspicious emails could expose your system to malicious code that could hijack your computer.
* Never respond to a suspicious email or click on any hyperlink embedded in a suspicious email. Call the purported source if you are unsure who sent an email.
* If an email claiming to be from your financial organization seems suspicious, checking with your financial organization may be appropriate.
* Keep your antivirus up to date and use real time protection.
* It is also recommended to implement a Security Awareness program, addressed to all your management and staff, designed to increase the level of understanding regarding Social Engineering and security threats in general.
Finally, in case that a system is compromised, it should be immediately removed from the network.