SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockfile (Back to overview)

LockFile

A ransomware first observed in July 2021.

References
2022-06-23SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220623:bronze:8bccd74, author = {Counter Threat Unit ResearchTeam}, title = {{BRONZE STARLIGHT Ransomware Operations Use HUI Loader}}, date = {2022-06-23}, organization = {Secureworks}, url = {https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader}, language = {English}, urldate = {2022-09-20} } BRONZE STARLIGHT Ransomware Operations Use HUI Loader
ATOMSILO Cobalt Strike HUI Loader LockFile NightSky Pandora PlugX Quasar RAT Rook SodaMaster
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-09-26NSFOCUSJie Ji
@online{ji:20210926:insights:51c06b8, author = {Jie Ji}, title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}}, date = {2021-09-26}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/}, language = {English}, urldate = {2021-11-25} } Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-08-30CSO OnlineLucian Constantin
@online{constantin:20210830:lockfile:f792736, author = {Lucian Constantin}, title = {{LockFile ransomware uses intermittent encryption to evade detection}}, date = {2021-08-30}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html}, language = {English}, urldate = {2021-08-31} } LockFile ransomware uses intermittent encryption to evade detection
LockFile
2021-08-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20210828:lockfile:aa9e07a, author = {Ravie Lakshmanan}, title = {{LockFile Ransomware Bypasses Protection Using Intermittent File Encryption}}, date = {2021-08-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html}, language = {English}, urldate = {2021-08-31} } LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
LockFile
2021-08-27SophosMark Loman
@online{loman:20210827:lockfile:cc8483f, author = {Mark Loman}, title = {{LockFile ransomware’s box of tricks: intermittent encryption and evasion}}, date = {2021-08-27}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/}, language = {English}, urldate = {2021-08-30} } LockFile ransomware’s box of tricks: intermittent encryption and evasion
LockFile
2021-08-25Cybleinccybleinc
@online{cybleinc:20210825:lockfile:0bc870f, author = {cybleinc}, title = {{​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell}}, date = {2021-08-25}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/}, language = {English}, urldate = {2021-08-31} } ​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell
LockFile
2021-08-23Sophos SecOpsGreg Iddon
@online{iddon:20210823:proxyshell:5568890, author = {Greg Iddon}, title = {{ProxyShell vulnerabilities in Microsoft Exchange: What to do}}, date = {2021-08-23}, organization = {Sophos SecOps}, url = {https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/}, language = {English}, urldate = {2022-03-18} } ProxyShell vulnerabilities in Microsoft Exchange: What to do
LockFile
2021-08-20SymantecThreat Hunter Team
@online{team:20210820:lockfile:28cc466, author = {Threat Hunter Team}, title = {{LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers}}, date = {2021-08-20}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows}, language = {English}, urldate = {2021-08-24} } LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
LockFile
2021-08-20Twitter (@VirITeXplorer)TG Soft
@online{soft:20210820:about:dccc915, author = {TG Soft}, title = {{Tweet about LockFile attacks in Italy}}, date = {2021-08-20}, organization = {Twitter (@VirITeXplorer)}, url = {https://twitter.com/VirITeXplorer/status/1428750497872232459}, language = {English}, urldate = {2021-08-31} } Tweet about LockFile attacks in Italy
LockFile
Yara Rules
[TLP:WHITE] win_lockfile_auto (20230407 | Detects win.lockfile.)
rule win_lockfile_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.lockfile."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488d4dd0 e8???????? 4180fe43 742e 418d46bb a8f9 7416 }
            // n = 7, score = 200
            //   488d4dd0             | dec                 eax
            //   e8????????           |                     
            //   4180fe43             | cmp                 eax, 0x1f
            //   742e                 | ja                  0xfc5
            //   418d46bb             | dec                 eax
            //   a8f9                 | mov                 dword ptr [ebp - 0x29], esi
            //   7416                 | dec                 eax

        $sequence_1 = { 488d8d70020000 e8???????? 488d8d70020000 e8???????? ff05???????? eb7a 807c245c2e }
            // n = 7, score = 200
            //   488d8d70020000       | dec                 eax
            //   e8????????           |                     
            //   488d8d70020000       | add                 edx, eax
            //   e8????????           |                     
            //   ff05????????         |                     
            //   eb7a                 | dec                 eax
            //   807c245c2e           | mov                 edi, dword ptr [ebp - 0x10]

        $sequence_2 = { 49f76330 4c8d143b 4c8bca 4c8d0401 498b4348 4c3bc1 }
            // n = 6, score = 200
            //   49f76330             | dec                 eax
            //   4c8d143b             | dec                 ecx
            //   4c8bca               | dec                 eax
            //   4c8d0401             | lea                 eax, [esi*8]
            //   498b4348             | dec                 esp
            //   4c3bc1               | mov                 edi, esi

        $sequence_3 = { 3420 88442450 8b442440 040d 3477 88442451 8b442440 }
            // n = 7, score = 200
            //   3420                 | mov                 eax, dword ptr [eax + edx*8]
            //   88442450             | inc                 esp
            //   8b442440             | mov                 dword ptr [eax + ecx*4], edi
            //   040d                 | and                 ecx, 3
            //   3477                 | inc                 ecx
            //   88442451             | mov                 eax, 5
            //   8b442440             | dec                 eax

        $sequence_4 = { 498d4701 488b542430 eb1b 4885c9 7413 e8???????? 488bf8 }
            // n = 7, score = 200
            //   498d4701             | dec                 eax
            //   488b542430           | cmp                 edi, esi
            //   eb1b                 | setb                cl
            //   4885c9               | dec                 esp
            //   7413                 | cmp                 ebx, ebx
            //   e8????????           |                     
            //   488bf8               | dec                 eax

        $sequence_5 = { c645b851 488bcb c645b954 c645ba48 c645bb50 c645bc4b c645bd4e }
            // n = 7, score = 200
            //   c645b851             | mov                 eax, dword ptr [ebx + 0x38]
            //   488bcb               | dec                 ecx
            //   c645b954             | cmp                 ecx, eax
            //   c645ba48             | dec                 eax
            //   c645bb50             | adc                 edx, 0
            //   c645bc4b             | dec                 esp
            //   c645bd4e             | add                 esp, edx

        $sequence_6 = { 4983d700 48f76768 4f8d343c 488bf2 498d0c00 498b4238 493bc8 }
            // n = 7, score = 200
            //   4983d700             | dec                 ecx
            //   48f76768             | mov                 eax, dword ptr [ebx + 0x48]
            //   4f8d343c             | dec                 ecx
            //   488bf2               | cmp                 ecx, eax
            //   498d0c00             | dec                 eax
            //   498b4238             | adc                 edx, 0
            //   493bc8               | dec                 esp

        $sequence_7 = { 488d05045f0300 488901 488d056a600300 48894108 80795900 7506 e8???????? }
            // n = 7, score = 200
            //   488d05045f0300       | xor                 eax, ecx
            //   488901               | rol                 ebx, 1
            //   488d056a600300       | inc                 ecx
            //   48894108             | xor                 eax, edx
            //   80795900             | inc                 ecx
            //   7506                 | rol                 ebp, 1
            //   e8????????           |                     

        $sequence_8 = { 8d0c1b 4903cf 4c8d8588010000 488d15d0fa0500 e8???????? 0fb68588010000 ffc3 }
            // n = 7, score = 200
            //   8d0c1b               | mov                 ebx, edx
            //   4903cf               | dec                 esp
            //   4c8d8588010000       | mov                 edi, ecx
            //   488d15d0fa0500       | mov                 dword ptr [ebp - 0x49], 0
            //   e8????????           |                     
            //   0fb68588010000       | dec                 eax
            //   ffc3                 | mov                 ecx, dword ptr [ebp + 0x7f]

        $sequence_9 = { 4156 4881eca8000000 488bbc24f0000000 4533f6 488b9424e8000000 4d8bd1 488958e8 }
            // n = 7, score = 200
            //   4156                 | je                  0x170e
            //   4881eca8000000       | mov                 dword ptr [ebp - 0x70], ecx
            //   488bbc24f0000000     | dec                 eax
            //   4533f6               | mov                 dword ptr [eax], ecx
            //   488b9424e8000000     | dec                 esp
            //   4d8bd1               | lea                 eax, [edi - 1]
            //   488958e8             | dec                 eax

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules