Kochi /
IT
|
Computer Accessories
|
Hardware
|
Computer Shops
/
Comtech Systems /
Blogs /
Sophos Discovers New Ransomware TTPs: New LockFile Ransomware Avoids Detection by Using Intermittent File Encryption
Sophos Discovers New Ransomware TTPs: New LockFile Ransomware Avoids Detection by Using Intermittent File Encryption
Posted On Aug 31, 2021
A new study called "LockFile Ransomware's Box of Tricks: Intermittent Encryption and Evasion" reveals how LockFile ransomware operators encrypt alternate bundles of 16 bytes in a document to evade detection.
The new encryption approach, dubbed "intermittent encryption," allows the ransomware to avoid raising a red flag, according to Sophos specialists, because it is statistically very similar to the original unencrypted version.
According to Sophos experts, this is the first time this strategy has been used in ransomware. The statistical likeliness of a partially legible text document to the original is preserved.
This method can be used against ransomware detection software that uses statistical analysis to detect encryption by analyzing content. The LockFile ransomware appears to have appeared out of nowhere, and its creators haven't shied away from exploiting newly discovered and fixed vulnerabilities, such as the ProxyShell issues and the PetitPotam proof-of-concept. They also seem keen to use their new strategy of intermittently encrypting files to assure the success of their attacks.
The conclusion for defenders is that the cyberthreat landscape is always shifting, and attackers will take advantage of every opportunity or weapon they can to launch a successful attack. When it comes to security, it's all about being prepared for and robust against future attacks. This demands a combination of powerful, intelligent technologies and human detection and response.”
New Sophos research includes the following:
To encrypt a file, LockFile ransomware employs a mechanism known as "memory-mapped input/output (I/O)." This method enables ransomware to encrypt documents cached in the computer's memory discreetly, without generating additional input/output telematic traffic that detection technology will identify. WastedLocker and Maze malware have both used this strategy.LockFile does not require a connection to a command-and-control center to communicate, as does other human-directed ransomware. This decreases traffic, allowing the attack to remain undetected for as long as feasible. The ransomware deletes itself once it has encrypted all of the files on the machine.
This implies there will be no ransomware binaries for incident responders or endpoint protection software to detect and remove after the attack. lockfile also avoid encrypting over 800 different file types by extension as an extra evasion strategy, further confounding anti-ransomware safeguards.
Comtech Systems deals with IT solutions which include your infrastructure management and all security solutions associated. Comtech is partnered with the best IT security solutions provider Sophos. Sophos’ updated news and information can be reached from our end with a single click on our page. Get more interesting facts and get your best deals from us.
Related items