First Ransomware to Use Intermittent Encryption Revealed

Sophos revealed that a recently discovered ransomware family called LockFile is the first to use a technique called intermittent encryption to evade detection.

Symantec reported on August 20 that LockFile had been targeting organizations in the "manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors" since at least July 20. But the company offered limited information about how LockFile spread or how it actually encrypted victims' files.

Security researcher Kevin Beaumont then revealed that LockFile exploited ProxyShell, a suite of vulnerabilities in Microsoft Exchange disclosed by Devcore researcher Orange Tsai at Pwn2Own 2021 in April, which offered some insight into how the ransomware enables the PetitPotam attack it uses to take over servers.

Ransomware exploiting publicly disclosed vulnerabilities to conduct a well-known attack on Exchange servers isn't particularly novel. That's where Sophos comes in. The company said that LockFile is the first ransomware it's encountered that uses intermittent encryption to prevent security tools from detecting its activity.

"Intermittent encryption helps the ransomware to evade detection by some ransomware protection solutions because an encrypted document looks statistically very similar to the unencrypted original," Sophos said, which means LockFile can encrypt its victims' files without having to worry about those security tools.

Here's how Sophos explained what sets LockFile's encryption method apart:

"An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061. If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811. [...] This trick will be successful against ransomware protection software that performs content inspection with statistical analysis to detect encryption."

Sophos revealed other tricks LockFile uses to evade detection, including deleting itself to make it more difficult to analyze, but the use of intermittent encryption is what makes the ransomware unique. The best way to protect a server from LockFile is to patch the ProxyShell vulnerabilities and defend against the PetitPotam attack.