SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockfile (Back to overview)

LockFile

VTCollection    

A ransomware first observed in July 2021.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-09-26NSFOCUSJie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-08-30CSO OnlineLucian Constantin
LockFile ransomware uses intermittent encryption to evade detection
LockFile
2021-08-28The Hacker NewsRavie Lakshmanan
LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
LockFile
2021-08-27SophosMark Loman
LockFile ransomware’s box of tricks: intermittent encryption and evasion
LockFile
2021-08-25Cybleinccybleinc
​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell
LockFile
2021-08-23Sophos SecOpsGreg Iddon
ProxyShell vulnerabilities in Microsoft Exchange: What to do
LockFile
2021-08-20SymantecThreat Hunter Team
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
LockFile
2021-08-20Twitter (@VirITeXplorer)TG Soft
Tweet about LockFile attacks in Italy
LockFile
Yara Rules
[TLP:WHITE] win_lockfile_auto (20260504 | Detects win.lockfile.)
rule win_lockfile_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.lockfile."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4881c488000000 c3 488d1520580600 488d4c2420 e8???????? 90 488d542420 }
            // n = 7, score = 200
            //   4881c488000000       | je                  0xa5
            //   c3                   | mov                 dword ptr [esp + 0x38], 7
            //   488d1520580600       | dec                 eax
            //   488d4c2420           | lea                 eax, [0x26c8b]
            //   e8????????           |                     
            //   90                   | sete                cl
            //   488d542420           | dec                 esp

        $sequence_1 = { 4983d100 48894120 488b4d50 498b4328 4f8d040a 48f721 4d8d1c00 }
            // n = 7, score = 200
            //   4983d100             | dec                 eax
            //   48894120             | lea                 ecx, [edx + 0xc]
            //   488b4d50             | dec                 eax
            //   498b4328             | mov                 dword ptr [esi + 0x10], ecx
            //   4f8d040a             | dec                 eax
            //   48f721               | mov                 edx, dword ptr [esi + 0x18]
            //   4d8d1c00             | dec                 esp

        $sequence_2 = { 488d056aba0300 4889442420 488d4c2468 e8???????? 90 4c8d4718 488bd3 }
            // n = 7, score = 200
            //   488d056aba0300       | dec                 eax
            //   4889442420           | lea                 edx, [esp + 0x30]
            //   488d4c2468           | dec                 eax
            //   e8????????           |                     
            //   90                   | lea                 eax, [0x3604a]
            //   4c8d4718             | mov                 byte ptr [edi + 0x20], 0
            //   488bd3               | dec                 eax

        $sequence_3 = { 4889542428 488955d8 4c8945e8 66660f1f840000000000 4c8921 4c896108 4c896110 }
            // n = 7, score = 200
            //   4889542428           | xor                 esi, dword ptr [esp + 0x98]
            //   488955d8             | inc                 ecx
            //   4c8945e8             | mov                 ebx, ebx
            //   66660f1f840000000000     | inc    esp
            //   4c8921               | xor                 esi, dword ptr [esp + 0x28]
            //   4c896108             | mov                 eax, edx
            //   4c896110             | inc                 esp

        $sequence_4 = { 8b44243c c1e808 8944243c 0fb644243c c1e003 4898 488d0dff390700 }
            // n = 7, score = 200
            //   8b44243c             | dec                 eax
            //   c1e808               | adc                 edi, 0
            //   8944243c             | dec                 eax
            //   0fb644243c           | mul                 dword ptr [esi + 0x68]
            //   c1e003               | dec                 ecx
            //   4898                 | lea                 ebx, [esi + edi]
            //   488d0dff390700       | dec                 esp

        $sequence_5 = { 4c8d0de9e10400 4533c0 418d501a 488d4db7 e8???????? 0f1000 0f1145d7 }
            // n = 7, score = 200
            //   4c8d0de9e10400       | dec                 eax
            //   4533c0               | mov                 dword ptr [edx + 0x58], eax
            //   418d501a             | dec                 eax
            //   488d4db7             | mov                 eax, dword ptr [edi + 0x60]
            //   e8????????           |                     
            //   0f1000               | dec                 ecx
            //   0f1145d7             | mul                 dword ptr [esi]

        $sequence_6 = { 4c3b4597 4c8b458f 4883d700 483bc1 4983d000 493bd1 4c13c7 }
            // n = 7, score = 200
            //   4c3b4597             | dec                 ecx
            //   4c8b458f             | mov                 eax, dword ptr [edx + 0x30]
            //   4883d700             | dec                 eax
            //   483bc1               | mul                 dword ptr [ebx + 0x50]
            //   4983d000             | dec                 eax
            //   493bd1               | mul                 dword ptr [ebx + 0x48]
            //   4c13c7               | dec                 esp

        $sequence_7 = { 48c1fa05 488bc2 48c1e83f 4803d0 488bca 48d1e9 488bc7 }
            // n = 7, score = 200
            //   48c1fa05             | mov                 ebx, ecx
            //   488bc2               | dec                 ebp
            //   48c1e83f             | mov                 ebx, eax
            //   4803d0               | dec                 esp
            //   488bca               | mov                 edx, dword ptr [ecx]
            //   48d1e9               | dec                 eax
            //   488bc7               | cmp                 dword ptr [edx + 0x10], 0

        $sequence_8 = { c645d64b c645d750 c645d83f c645d987 40887dda 0fb64580 0fb6440d80 }
            // n = 7, score = 200
            //   c645d64b             | cmp                 eax, ecx
            //   c645d750             | dec                 eax
            //   c645d83f             | mov                 ecx, dword ptr [ebp + 0x58]
            //   c645d987             | dec                 ecx
            //   40887dda             | adc                 edx, 0
            //   0fb64580             | dec                 eax
            //   0fb6440d80           | mov                 eax, dword ptr [ecx]

        $sequence_9 = { 89442438 0fb6442438 488d0d6a320700 488d04c1 b901000000 486bc901 ba01000000 }
            // n = 7, score = 200
            //   89442438             | adc                 ebx, ebp
            //   0fb6442438           | dec                 ecx
            //   488d0d6a320700       | mul                 dword ptr [esp + 0x58]
            //   488d04c1             | dec                 esp
            //   b901000000           | add                 edx, ebx
            //   486bc901             | dec                 esp
            //   ba01000000           | mov                 ebx, edx

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules