SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockfile (Back to overview)

LockFile

VTCollection    

A ransomware first observed in July 2021.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster BRONZE STARLIGHT
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-20Bleeping ComputerBill Toulas
Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-09-26NSFOCUSJie Ji
Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-08-30CSO OnlineLucian Constantin
LockFile ransomware uses intermittent encryption to evade detection
LockFile
2021-08-28The Hacker NewsRavie Lakshmanan
LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
LockFile
2021-08-27SophosMark Loman
LockFile ransomware’s box of tricks: intermittent encryption and evasion
LockFile
2021-08-25Cybleinccybleinc
​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell
LockFile
2021-08-23Sophos SecOpsGreg Iddon
ProxyShell vulnerabilities in Microsoft Exchange: What to do
LockFile
2021-08-20SymantecThreat Hunter Team
LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
LockFile
2021-08-20Twitter (@VirITeXplorer)TG Soft
Tweet about LockFile attacks in Italy
LockFile
Yara Rules
[TLP:WHITE] win_lockfile_auto (20230808 | Detects win.lockfile.)
rule win_lockfile_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.lockfile."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 418bdc 33d9 8bcb 4123cf 4133cc 03d1 8955bb }
            // n = 7, score = 200
            //   418bdc               | sub                 ebx, eax
            //   33d9                 | nop                 word ptr [eax + eax]
            //   8bcb                 | movdqu              xmm0, xmmword ptr [eax - 0x10]
            //   4123cf               | dec                 eax
            //   4133cc               | add                 esi, 0x10
            //   03d1                 | movdqu              xmm1, xmmword ptr [eax + edx - 0x10]
            //   8955bb               | movdqu              xmm2, xmmword ptr [edx + eax]

        $sequence_1 = { 488b4b58 49894a48 488b5360 49895250 48837b6010 7731 41c6424101 }
            // n = 7, score = 200
            //   488b4b58             | movups              xmmword ptr [eax + 0x20], xmm0
            //   49894a48             | dec                 ecx
            //   488b5360             | mov                 ebx, dword ptr [ebp]
            //   49895250             | dec                 ecx
            //   48837b6010           | sub                 ebx, esp
            //   7731                 | xor                 edx, edx
            //   41c6424101           | dec                 eax

        $sequence_2 = { 488bf1 33d2 e8???????? 33d2 48895618 48895620 }
            // n = 6, score = 200
            //   488bf1               | dec                 eax
            //   33d2                 | mov                 dword ptr [ebp + 0x58], edx
            //   e8????????           |                     
            //   33d2                 | dec                 ecx
            //   48895618             | cmp                 ecx, edx
            //   48895620             | inc                 ecx

        $sequence_3 = { e9???????? 4c8d4c245c 4c8d4570 488d15b31e0600 488d8d70020000 e8???????? 488d8d70020000 }
            // n = 7, score = 200
            //   e9????????           |                     
            //   4c8d4c245c           | dec                 ecx
            //   4c8d4570             | mov                 eax, dword ptr [esp + 0x60]
            //   488d15b31e0600       | dec                 esp
            //   488d8d70020000       | cmp                 eax, ecx
            //   e8????????           |                     
            //   488d8d70020000       | dec                 eax

        $sequence_4 = { 85c0 7411 836530fe 488b4d38 4883c178 e8???????? }
            // n = 6, score = 200
            //   85c0                 | cmp                 eax, ebx
            //   7411                 | jae                 0xa06
            //   836530fe             | dec                 ecx
            //   488b4d38             | cmp                 ebx, eax
            //   4883c178             | jae                 0xa11
            //   e8????????           |                     

        $sequence_5 = { 57 4883ec20 8bfa 488bd9 488b4908 4885c9 740b }
            // n = 7, score = 200
            //   57                   | cmp                 ecx, ebx
            //   4883ec20             | dec                 eax
            //   8bfa                 | mov                 ebx, dword ptr [ebp + 0x50]
            //   488bd9               | dec                 eax
            //   488b4908             | adc                 edx, 0
            //   4885c9               | dec                 eax
            //   740b                 | mov                 dword ptr [ebp - 0x10], edx

        $sequence_6 = { 0f845c010000 83792801 0f8552010000 e8???????? 8bd8 483bde 480f42de }
            // n = 7, score = 200
            //   0f845c010000         | cmp                 ebx, edx
            //   83792801             | dec                 esp
            //   0f8552010000         | cmp                 ebx, edx
            //   e8????????           |                     
            //   8bd8                 | dec                 ecx
            //   483bde               | adc                 eax, 0
            //   480f42de             | dec                 ecx

        $sequence_7 = { 0f84a5000000 488b0d???????? 488b15???????? 4c3bc1 750d 488bc1 48d1e8 }
            // n = 7, score = 200
            //   0f84a5000000         | mov                 ebx, dword ptr [ebp - 0x61]
            //   488b0d????????       |                     
            //   488b15????????       |                     
            //   4c3bc1               | dec                 eax
            //   750d                 | adc                 edi, 0
            //   488bc1               | dec                 ecx
            //   48d1e8               | cmp                 esi, esi

        $sequence_8 = { 41c1c802 4123cb 418bd1 0bc8 c1c205 03cd 418bc0 }
            // n = 7, score = 200
            //   41c1c802             | dec                 ecx
            //   4123cb               | lea                 ecx, [eax - 1]
            //   418bd1               | dec                 eax
            //   0bc8                 | lea                 ecx, [eax + ecx*8]
            //   c1c205               | dec                 eax
            //   03cd                 | cmp                 dword ptr [ecx], 0
            //   418bc0               | dec                 ebp

        $sequence_9 = { 88458c 8b4580 0409 3465 88458d 8b4580 040a }
            // n = 7, score = 200
            //   88458c               | dec                 esp
            //   8b4580               | lea                 eax, [ecx + eax]
            //   0409                 | dec                 eax
            //   3465                 | mul                 dword ptr [ebx + 0x68]
            //   88458d               | dec                 edi
            //   8b4580               | lea                 esi, [esp + edi]
            //   040a                 | dec                 eax

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules