SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockfile (Back to overview)

LockFile

A ransomware first observed in July 2021.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-09-26NSFOCUSJie Ji
@online{ji:20210926:insights:51c06b8, author = {Jie Ji}, title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}}, date = {2021-09-26}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/}, language = {English}, urldate = {2021-11-25} } Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-08-30CSO OnlineLucian Constantin
@online{constantin:20210830:lockfile:f792736, author = {Lucian Constantin}, title = {{LockFile ransomware uses intermittent encryption to evade detection}}, date = {2021-08-30}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html}, language = {English}, urldate = {2021-08-31} } LockFile ransomware uses intermittent encryption to evade detection
LockFile
2021-08-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20210828:lockfile:aa9e07a, author = {Ravie Lakshmanan}, title = {{LockFile Ransomware Bypasses Protection Using Intermittent File Encryption}}, date = {2021-08-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html}, language = {English}, urldate = {2021-08-31} } LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
LockFile
2021-08-27SophosMark Loman
@online{loman:20210827:lockfile:cc8483f, author = {Mark Loman}, title = {{LockFile ransomware’s box of tricks: intermittent encryption and evasion}}, date = {2021-08-27}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/}, language = {English}, urldate = {2021-08-30} } LockFile ransomware’s box of tricks: intermittent encryption and evasion
LockFile
2021-08-25Cybleinccybleinc
@online{cybleinc:20210825:lockfile:0bc870f, author = {cybleinc}, title = {{​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell}}, date = {2021-08-25}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/}, language = {English}, urldate = {2021-08-31} } ​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell
LockFile
2021-08-23Sophos SecOpsGreg Iddon
@online{iddon:20210823:proxyshell:5568890, author = {Greg Iddon}, title = {{ProxyShell vulnerabilities in Microsoft Exchange: What to do}}, date = {2021-08-23}, organization = {Sophos SecOps}, url = {https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/}, language = {English}, urldate = {2022-03-18} } ProxyShell vulnerabilities in Microsoft Exchange: What to do
LockFile
2021-08-20SymantecThreat Hunter Team
@online{team:20210820:lockfile:28cc466, author = {Threat Hunter Team}, title = {{LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers}}, date = {2021-08-20}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows}, language = {English}, urldate = {2021-08-24} } LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
LockFile
2021-08-20Twitter (@VirITeXplorer)TG Soft
@online{soft:20210820:about:dccc915, author = {TG Soft}, title = {{Tweet about LockFile attacks in Italy}}, date = {2021-08-20}, organization = {Twitter (@VirITeXplorer)}, url = {https://twitter.com/VirITeXplorer/status/1428750497872232459}, language = {English}, urldate = {2021-08-31} } Tweet about LockFile attacks in Italy
LockFile
Yara Rules
[TLP:WHITE] win_lockfile_auto (20220808 | Detects win.lockfile.)
rule win_lockfile_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.lockfile."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883d200 4533c0 4d3bd3 488955cf 4c8b5d87 410f92c0 493bc9 }
            // n = 7, score = 200
            //   4883d200             | lea                 ecx, [ebx + 0x70]
            //   4533c0               | mov                 ebx, dword ptr [eax + 8]
            //   4d3bd3               | dec                 eax
            //   488955cf             | mov                 dword ptr [esp + 0x40], ecx
            //   4c8b5d87             | mov                 dword ptr [esp + 0x48], ebx
            //   410f92c0             | inc                 eax
            //   493bc9               | test                dh, 0x10

        $sequence_1 = { 8b4318 894718 488d5320 488d4f20 e8???????? 90 488d0558e20400 }
            // n = 7, score = 200
            //   8b4318               | inc                 ecx
            //   894718               | setb                al
            //   488d5320             | dec                 ebp
            //   488d4f20             | cmp                 edi, ebp
            //   e8????????           |                     
            //   90                   | dec                 esp
            //   488d0558e20400       | lea                 ebx, [edx + ecx]

        $sequence_2 = { 33d2 e8???????? e8???????? c70016000000 e8???????? eb2a 488b07 }
            // n = 7, score = 200
            //   33d2                 | mov                 eax, dword ptr [ebp + 0x48]
            //   e8????????           |                     
            //   e8????????           |                     
            //   c70016000000         | dec                 ebp
            //   e8????????           |                     
            //   eb2a                 | adc                 ebp, esp
            //   488b07               | dec                 esp

        $sequence_3 = { 3474 8845bf 8b4580 043c 498bd4 3465 8845c0 }
            // n = 7, score = 200
            //   3474                 | dec                 ecx
            //   8845bf               | mov                 eax, dword ptr [edx + edx]
            //   8b4580               | dec                 eax
            //   043c                 | mov                 dword ptr [edx], eax
            //   498bd4               | dec                 eax
            //   3465                 | lea                 edx, [edx - 8]
            //   8845c0               | dec                 ebp

        $sequence_4 = { 488d0da7350700 8b440101 8b4c2438 33c8 8bc1 89442438 8b442448 }
            // n = 7, score = 200
            //   488d0da7350700       | mov                 edi, 8
            //   8b440101             | dec                 eax
            //   8b4c2438             | mov                 eax, dword ptr [ecx + 0x10]
            //   33c8                 | dec                 eax
            //   8bc1                 | cmp                 dword ptr [ecx + 8], eax
            //   89442438             | cmovb               edx, edi
            //   8b442448             | inc                 eax

        $sequence_5 = { 660feb0d???????? 4c8d0d14fc0000 f20f5cca f2410f590cc1 660f28d1 660f28c1 4c8d0d0b3e0100 }
            // n = 7, score = 200
            //   660feb0d????????     |                     
            //   4c8d0d14fc0000       | mov                 dword ptr [esi + 8], eax
            //   f20f5cca             | dec                 eax
            //   f2410f590cc1         | mov                 dword ptr [esi + 0x90], ebp
            //   660f28d1             | dec                 eax
            //   660f28c1             | test                ebp, ebp
            //   4c8d0d0b3e0100       | je                  0x15d

        $sequence_6 = { 8b45d0 040e 3468 8845e2 8b45d0 040f 3465 }
            // n = 7, score = 200
            //   8b45d0               | dec                 eax
            //   040e                 | mov                 eax, dword ptr [eax + 0x70]
            //   3468                 | dec                 ebp
            //   8845e2               | adc                 ecx, eax
            //   8b45d0               | dec                 ecx
            //   040f                 | adc                 eax, 0
            //   3465                 | dec                 eax

        $sequence_7 = { 4883d300 488b00 49f76320 4c8d0c3b 4803c1 4c8bd2 483bc1 }
            // n = 7, score = 200
            //   4883d300             | mov                 eax, dword ptr [esp + 0x28]
            //   488b00               | mov                 ecx, eax
            //   49f76320             | dec                 eax
            //   4c8d0c3b             | mov                 edx, eax
            //   4803c1               | dec                 eax
            //   4c8bd2               | lea                 ecx, [edi + 8]
            //   483bc1               | dec                 esp

        $sequence_8 = { 90 c74424308c000000 90 803d????????00 750d e8???????? c605????????01 }
            // n = 7, score = 200
            //   90                   | adc                 esp, ecx
            //   c74424308c000000     | dec                 ecx
            //   90                   | mul                 dword ptr [ebx + 8]
            //   803d????????00       |                     
            //   750d                 | dec                 esp
            //   e8????????           |                     
            //   c605????????01       |                     

        $sequence_9 = { 4103c0 33cb 03c1 890424 4585db 743e }
            // n = 6, score = 200
            //   4103c0               | xor                 al, 0x65
            //   33cb                 | mov                 byte ptr [ebp - 0x15], al
            //   03c1                 | mov                 byte ptr [ebp - 0x15], al
            //   890424               | mov                 eax, dword ptr [ebp - 0x30]
            //   4585db               | add                 al, 0x18
            //   743e                 | xor                 al, 0x20

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules