Sophos Breaking News: New ransomware relies on ProxyShell
Sophos discovers new ransomware TTPs: New LockFile Ransomware uses intermittent file encryption to avoid detection
LockFile is a new family of ransomware that emerged in July 2021 following the discovery in April 2021 of ProxyShell vulnerabilities in Microsoft Exchange servers.
OXFORD, UK, August 27, 2021 (GLOBE NEWSWIRE) – Sophos, a global leader in next-generation cybersecurity, has released a new study, “LockFile Ransomware’s Box of Tricks: Intermittent Encryption and Evasion,” which reveals how Operators behind LockFile ransomware, encrypt 16-byte alternate packets in a document to evade detection. According to Sophos researchers, this new approach, which Sophos calls “intermittent encryption,” helps the ransomware avoid raising a red flag because the new encryption method is statistically very similar to the unencrypted original. This is the first time that Sophos researchers have seen this approach used in ransomware.
“Partiel encryption is typically used by ransomware operators to speed up the encryption process and we have seen BlackMatter, DarkSide and LockBit 2.0 implement this technique, ”said Mark Loman, director of engineering at Sophos. “What sets LockFile apart is that, unlike the others, it doesn’t encrypt the first few blocks. Instead, LockFile encrypts all others 16 bytes of a document. This means that a file such as a text document remains partially readable and statistically resembles the original. This trick may be effective against ransomware detection software that relies on inspecting content using statistical analysis to detect encryption.
“The LockFile ransomware apparently emerged out of nowhere, and the operators behind it were quick to exploit recently released and patched vulnerabilities – from ProxyShell bugs to the recently released PetitPotam proof of concept. They also seem keen to take advantage of their new approach of intermittently encrypting files to keep their attacks working. The message here for defenders is that the cyber threat landscape never ends, and adversaries will quickly seize any opportunity or tool possible to launch a successful attack. Security is being prepared and resisting the attacks of tomorrow. It requires deep and intelligent technologies, as well as human detection and response. “
The following visual comparison (the axis represents the distribution of text characters) shows the same text document encrypted by DarkSide and LockFile: https://www.globenewswire.com/NewsRoom/AttachmentNg/0938d80d-8d9a-4d82-aeba-6f42dbfeac41
Other key findings detailed in the new Sophos study include:
- LockFile ransomware uses a relatively rare process called “memory mapped input / output (I / O)” to encrypt a file. This technique allows the ransomware to invisibly encrypt documents cached in computer memory, without creating additional I / O telematic traffic that detection technologies will detect. This technique has also been used by WastedLocker and Maze ransomware
- As with other human-directed ransomware, LockFile does not need to connect to a command and control center to communicate. This reduces traffic and helps keep attack activity below the detection radar for as long as possible. Once the ransomware encrypts all documents on the machine, it deletes itself. This means that after the attack, there is no ransomware binary for disaster responders or endpoint protection software to find or clean up.
- As an additional evasion technique, Lockfile avoids encrypting some 800 different file types per extension, further complicating some anti-ransomware protections.
Sophos recommends the following best practices to help defend against LockFile and other types of ransomware, and associated cyber attacks:
- At the strategic level:
- Deploy layered protection. As more and more ransomware attacks also involve extortion, it’s more important than ever to prevent adversaries from entering in the first place. Use layered protection to block attackers at as many points as possible in a domain
- Combine human experts with anti-ransomware technology. The key to stopping ransomware is defense in depth that combines dedicated anti-ransomware technology and human-led threat hunting. Technology provides the scale and automation an organization needs, while human experts are best placed to detect revealing tactics, techniques, and procedures that indicate an attacker is attempting to enter the environment. If organizations don’t have the skills in-house, they need to bring in cybersecurity specialists
- At the daily tactical level:
- Monitor and respond to alerts – Ensure that the appropriate tools, processes and resources (people) are available to monitor, investigate and respond to threats observed in the environment. Ransomware attackers often schedule their strike during off-peak hours, weekends, or holidays, assuming little or no staff are monitoring
- Set and enforce strong passwords – Strong passwords are one of the first lines of defense. Passwords should be unique or complex and never be reused. It’s easier to do if you provide staff with a password manager that can store their credentials.
- Use multi-factor authentication (MFA) – Even strong passwords can be compromised. Any form of multi-factor authentication is better than none at securing access to critical resources such as email, remote management tools, and network assets
- Lock accessible services – Perform outside scans of your organization’s network and identify and lock down ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be accessed using a remote management tool, place that tool behind a VPN or zero-trust network access solution that uses MFA as part of its connection.
- Practice segmentation and zero trust – Separate critical servers from each other and workstations by placing them in separate VLANs as you work towards a zero trust network model
- Perform offline backups of information and applications – Keep backups up to date and keep a copy offline
- Inventory your assets and accounts – Unprotected and unpatched network devices increase risk and create a situation where malicious activity could go unnoticed. Having an up-to-date inventory of all connected computers and IOT devices is essential. Use network scans and physical controls to locate and catalog them
- Make sure the security products are configured correctly – Under-protected systems and devices are also vulnerable. It is important to make sure that the security solutions are configured correctly and to check and, if necessary, update the security policies regularly. New security features are not always activated automatically
- Audit Active Directory (AD) – Perform regular audits on all accounts in AD, ensuring that none have more access than necessary for their purpose. Deactivate accounts for employees who leave as soon as they leave the company
- Patch everything – Keep Windows and other software up to date. It also means double checking that patches were installed correctly and, in particular, are in place for critical systems such as internet machines or domain controllers.
Sophos security solutions, such as Sophos Firewall and Intercept X, protect users by detecting malicious activity and the actions and behaviors of ransomware and other attacks. The act of attempting to encrypt files is blocked by Intercept X’s CryptoGuard feature, and clients running properly configured Intercept X products are protected against this new ransomware.
To learn more, please read the LockFile article on SophosLabs Uncut.
- Tactics, Techniques and Procedures (TTPs) and more for different types of threats can be found on SophosLab Uncut, which provides the latest threat information from Sophos.
- Information on attacker behavior, incident reports and tips for security operations professionals can be found at Sophos News SecOps
- Learn more about Sophos’ Rapid Response service which captures, neutralizes and investigates attacks 24/7
- Top four tips for responding to a security incident from Sophos Rapid Response and the Managed Threat Response Team
- Read the latest security news and advisories on the award-winning Sophos Naked Security news site and on Sophos News
Sophos is a global leader in next-generation cybersecurity, protecting more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyber threats. Leveraging threat intelligence, AI and machine learning from SophosLabs and SophosAIs, Sophos offers a wide range of advanced products and services to secure users, networks and endpoints against ransomware, software malware, exploits, phishing, and the wide array of other cyberattacks. Sophos provides a single integrated cloud management console, Sophos Central – the centerpiece of an adaptive cybersecurity ecosystem that includes a centralized data lake that leverages a rich set of open APIs available to customers, partners, developers and other vendors cybersecurity. Sophos sells its products and services through reseller partners and Managed Service Providers (MSPs) around the world. Sophos is headquartered in Oxford, UK. More information is available at www.sophos.com.