SYMBOLCOMMON_NAMEaka. SYNONYMS
win.lockfile (Back to overview)

LockFile

A ransomware first observed in July 2021.

References
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-04-20Bleeping ComputerBill Toulas
@online{toulas:20220420:microsoft:c1073df, author = {Bill Toulas}, title = {{Microsoft Exchange servers hacked to deploy Hive ransomware}}, date = {2022-04-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/microsoft-exchange-servers-hacked-to-deploy-hive-ransomware/}, language = {English}, urldate = {2022-04-24} } Microsoft Exchange servers hacked to deploy Hive ransomware
Babuk BlackByte Conti Hive LockFile
2022-03-17SophosTilly Travers
@online{travers:20220317:ransomware:df38f2f, author = {Tilly Travers}, title = {{The Ransomware Threat Intelligence Center}}, date = {2022-03-17}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/03/17/the-ransomware-threat-intelligence-center/}, language = {English}, urldate = {2022-03-18} } The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-27Avast DecodedAvast
@online{avast:20211027:avast:6b44ea1, author = {Avast}, title = {{Avast releases decryptor for AtomSilo and LockFile ransomware}}, date = {2021-10-27}, organization = {Avast Decoded}, url = {https://decoded.avast.io/threatintel/decryptor-for-atomsilo-and-lockfile-ransomware/}, language = {English}, urldate = {2021-11-08} } Avast releases decryptor for AtomSilo and LockFile ransomware
ATOMSILO LockFile
2021-09-26NSFOCUSJie Ji
@online{ji:20210926:insights:51c06b8, author = {Jie Ji}, title = {{Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2}}, date = {2021-09-26}, organization = {NSFOCUS}, url = {https://nsfocusglobal.com/insights-into-ransomware-spread-using-exchange-1-day-vulnerabilities-1-2/}, language = {English}, urldate = {2021-11-25} } Insights into Ransomware Spread Using Exchange 1-Day Vulnerabilities 1-2
Cobalt Strike LockFile
2021-08-30CSO OnlineLucian Constantin
@online{constantin:20210830:lockfile:f792736, author = {Lucian Constantin}, title = {{LockFile ransomware uses intermittent encryption to evade detection}}, date = {2021-08-30}, organization = {CSO Online}, url = {https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html}, language = {English}, urldate = {2021-08-31} } LockFile ransomware uses intermittent encryption to evade detection
LockFile
2021-08-28The Hacker NewsRavie Lakshmanan
@online{lakshmanan:20210828:lockfile:aa9e07a, author = {Ravie Lakshmanan}, title = {{LockFile Ransomware Bypasses Protection Using Intermittent File Encryption}}, date = {2021-08-28}, organization = {The Hacker News}, url = {https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html}, language = {English}, urldate = {2021-08-31} } LockFile Ransomware Bypasses Protection Using Intermittent File Encryption
LockFile
2021-08-27SophosMark Loman
@online{loman:20210827:lockfile:cc8483f, author = {Mark Loman}, title = {{LockFile ransomware’s box of tricks: intermittent encryption and evasion}}, date = {2021-08-27}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/}, language = {English}, urldate = {2021-08-30} } LockFile ransomware’s box of tricks: intermittent encryption and evasion
LockFile
2021-08-25Cybleinccybleinc
@online{cybleinc:20210825:lockfile:0bc870f, author = {cybleinc}, title = {{​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell}}, date = {2021-08-25}, organization = {Cybleinc}, url = {https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/}, language = {English}, urldate = {2021-08-31} } ​LockFile Ransomware: Exploiting Microsoft Exchange Vulnerabilities Using ProxyShell
LockFile
2021-08-23Sophos SecOpsGreg Iddon
@online{iddon:20210823:proxyshell:5568890, author = {Greg Iddon}, title = {{ProxyShell vulnerabilities in Microsoft Exchange: What to do}}, date = {2021-08-23}, organization = {Sophos SecOps}, url = {https://news.sophos.com/en-us/2021/08/23/proxyshell-vulnerabilities-in-microsoft-exchange-what-to-do/}, language = {English}, urldate = {2022-03-18} } ProxyShell vulnerabilities in Microsoft Exchange: What to do
LockFile
2021-08-20Twitter (@VirITeXplorer)TG Soft
@online{soft:20210820:about:dccc915, author = {TG Soft}, title = {{Tweet about LockFile attacks in Italy}}, date = {2021-08-20}, organization = {Twitter (@VirITeXplorer)}, url = {https://twitter.com/VirITeXplorer/status/1428750497872232459}, language = {English}, urldate = {2021-08-31} } Tweet about LockFile attacks in Italy
LockFile
2021-08-20SymantecThreat Hunter Team
@online{team:20210820:lockfile:28cc466, author = {Threat Hunter Team}, title = {{LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers}}, date = {2021-08-20}, organization = {Symantec}, url = {https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows}, language = {English}, urldate = {2021-08-24} } LockFile: Ransomware Uses PetitPotam Exploit to Compromise Windows Domain Controllers
LockFile
Yara Rules
[TLP:WHITE] win_lockfile_auto (20220411 | Detects win.lockfile.)
rule win_lockfile_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.lockfile."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4c8d442440 c745d802000000 488d9520010000 0f2845d0 488d4c2460 660f7f442440 e8???????? }
            // n = 7, score = 200
            //   4c8d442440           | dec                 ecx
            //   c745d802000000       | cmp                 esi, ebp
            //   488d9520010000       | dec                 ecx
            //   0f2845d0             | adc                 esp, 0
            //   488d4c2460           | dec                 ecx
            //   660f7f442440         | mul                 dword ptr [edi + 0x38]
            //   e8????????           |                     

        $sequence_1 = { e8???????? eb2f ba10000000 488d0d4dd80400 e8???????? 4885c0 740e }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb2f                 | mov                 eax, dword ptr [ebp + 0x10]
            //   ba10000000           | add                 al, 0x1d
            //   488d0d4dd80400       | xor                 al, 0x65
            //   e8????????           |                     
            //   4885c0               | mov                 byte ptr [ebp + 0x31], al
            //   740e                 | mov                 eax, dword ptr [ebp + 0x10]

        $sequence_2 = { 480f42c8 488bfa 33c0 f3aa 488b8c2450010000 4833cc e8???????? }
            // n = 7, score = 200
            //   480f42c8             | lea                 eax, dword ptr [edx - 0x70e44324]
            //   488bfa               | xor                 esi, dword ptr [esp + 0xc]
            //   33c0                 | inc                 esp
            //   f3aa                 | add                 eax, ecx
            //   488b8c2450010000     | or                  ecx, eax
            //   4833cc               | xor                 esi, dword ptr [esp + 0xa8]
            //   e8????????           |                     

        $sequence_3 = { 4c0365bf 4b8d3427 4c8d1c37 4f8d0c1a 4b8d1408 488d0411 483bc1 }
            // n = 7, score = 200
            //   4c0365bf             | dec                 ecx
            //   4b8d3427             | adc                 edi, 0
            //   4c8d1c37             | dec                 eax
            //   4f8d0c1a             | mul                 dword ptr [ebx + 0x68]
            //   4b8d1408             | dec                 edi
            //   488d0411             | lea                 esi, dword ptr [esp + edi]
            //   483bc1               | dec                 eax

        $sequence_4 = { c685570100006e c6855801000022 c685590100002d c6855a01000021 c6855b01000029 c6855c0100006c c6855d0100006c }
            // n = 7, score = 200
            //   c685570100006e       | inc                 ecx
            //   c6855801000022       | mov                 ecx, 0x1a5
            //   c685590100002d       | jne                 0x1e7e
            //   c6855a01000021       | dec                 eax
            //   c6855b01000029       | mov                 eax, ecx
            //   c6855c0100006c       | inc                 ecx
            //   c6855d0100006c       | mov                 edx, 0xfff

        $sequence_5 = { 488d4c2420 8364242800 b260 488bd8 e8???????? 4c8bc3 488d542430 }
            // n = 7, score = 200
            //   488d4c2420           | cmp                 esi, edi
            //   8364242800           | dec                 ecx
            //   b260                 | adc                 esp, 0
            //   488bd8               | dec                 ebp
            //   e8????????           |                     
            //   4c8bc3               | shld                esp, ebx, 1
            //   488d542430           | dec                 ecx

        $sequence_6 = { 33d0 418bc6 c1c806 33d0 8bc7 4133c4 4123c6 }
            // n = 7, score = 200
            //   33d0                 | inc                 ecx
            //   418bc6               | xor                 ecx, edi
            //   c1c806               | and                 ecx, ebx
            //   33d0                 | inc                 edx
            //   8bc7                 | lea                 eax, dword ptr [edi + eax]
            //   4133c4               | inc                 ecx
            //   4123c6               | xor                 ecx, esp

        $sequence_7 = { 488b55e0 4885d2 7411 488bfa 33c0 f348ab 488bca }
            // n = 7, score = 200
            //   488b55e0             | lea                 ecx, dword ptr [ebx + eax]
            //   4885d2               | dec                 eax
            //   7411                 | cmp                 edi, esi
            //   488bfa               | dec                 ecx
            //   33c0                 | adc                 esi, 0
            //   f348ab               | dec                 ebp
            //   488bca               | cmp                 edi, ebp

        $sequence_8 = { 493bca 4913fe 4c0fa4c701 490fa4c001 4803c0 4c3bd8 498b4738 }
            // n = 7, score = 200
            //   493bca               | cmp                 byte ptr [ebp - 0x48], 1
            //   4913fe               | jg                  0x737
            //   4c0fa4c701           | dec                 eax
            //   490fa4c001           | mov                 ecx, edi
            //   4803c0               | dec                 eax
            //   4c3bd8               | lea                 ecx, dword ptr [ebp - 0x50]
            //   498b4738             | mov                 edx, 0xe

        $sequence_9 = { c7442438f0ffffff 33d2 c7442428f0ffffff 488d0560040000 8954243c 8954242c 488d5188 }
            // n = 7, score = 200
            //   c7442438f0ffffff     | dec                 ebp
            //   33d2                 | cmp                 esi, ebp
            //   c7442428f0ffffff     | je                  0x6a1
            //   488d0560040000       | cmp                 byte ptr [ebp + 0x7f], 0
            //   8954243c             | dec                 ebp
            //   8954242c             | mov                 esp, eax
            //   488d5188             | dec                 esp

    condition:
        7 of them and filesize < 1163264
}
Download all Yara Rules