{ "id": "29dd5bb6-4b39-43d1-818d-cd39c07229f6", "created_at": "2026-04-06T00:14:40.307011Z", "updated_at": "2026-04-10T13:12:06.35163Z", "deleted_at": null, "sha1_hash": "36381ef4ea22da3c0ff129a57c9753d21a89ea9a", "title": "LockFile Ransomware Bypasses Protection Using Intermittent File Encryption", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 249680, "plain_text": "LockFile Ransomware Bypasses Protection Using Intermittent File\r\nEncryption\r\nBy The Hacker News\r\nPublished: 2021-08-28 · Archived: 2026-04-05 18:52:17 UTC\r\nA new ransomware family that emerged last month comes with its own bag of tricks to bypass ransomware\r\nprotection by leveraging a novel technique called \"intermittent encryption.\"\r\nCalled LockFile, the operators of the ransomware have been found exploiting recently disclosed flaws such\r\nas ProxyShell and PetitPotam to compromise Windows servers and deploy file-encrypting malware that scrambles\r\nonly every alternate 16 bytes of a file, thereby giving it the ability to evade ransomware defences.\r\n\"Partial encryption is generally used by ransomware operators to speed up the encryption process and we've seen\r\nit implemented by BlackMatter, DarkSide and LockBit 2.0 ransomware,\" Mark Loman, Sophos director of\r\nengineering, said in a statement. \"What sets LockFile apart is that, unlike the others, it doesn't encrypt the first few\r\nblocks. Instead, LockFile encrypts every other 16 bytes of a document.\"\r\n\"This means that a file such as a text document remains partially readable and looks statistically like the original.\r\nThis trick can be successful against ransomware protection software that relies on inspecting content using\r\nhttps://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html\r\nPage 1 of 2\n\nstatistical analysis to detect encryption,\" Loman added.\r\nSophos' analysis of LockFile comes from an artifact that was uploaded to VirusTotal on August 22, 2021.\r\nOnce deposited, the malware also takes steps to terminate critical processes associated with virtualization software\r\nand databases via the Windows Management Interface (WMI), before proceeding to encrypt critical files and\r\nobjects, and display a ransomware note that bears stylistic similarities with that of LockBit 2.0.\r\nThe ransom note also urges the victim to contact a specific email address \"contact@contipauper.com,\" which\r\nSophos suspects could be a derogatory reference to a competing ransomware group called Conti.\r\nWhat's more, the ransomware deletes itself from the system post successful encryption of all the documents on the\r\nmachine, meaning that \"there is no ransomware binary for incident responders or antivirus software to find or\r\nclean up.\"\r\n\"The message here for defenders is that the cyberthreat landscape never stands still, and adversaries will quickly\r\nseize every possible opportunity or tool to launch a successful attack,\" Loman said.\r\nThe disclosure comes as the U.S. Federal Bureau of Investigation (FBI) released a Flash report detailing the\r\ntactics of a new Ransomware-as-a-Service (RaaS) outfit known as Hive, consisting of a number of actors who are\r\nusing multiple mechanisms to compromise business networks, exfiltrate data and encrypt data on the networks,\r\nand attempt to collect a ransom in exchange for access to the decryption software.\r\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content\r\nwe post.\r\nSource: https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html\r\nhttps://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html" ], "report_names": [ "lockfile-ransomware-bypasses-protection.html" ], "threat_actors": [], "ts_created_at": 1775434480, "ts_updated_at": 1775826726, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/36381ef4ea22da3c0ff129a57c9753d21a89ea9a.pdf", "text": "https://archive.orkl.eu/36381ef4ea22da3c0ff129a57c9753d21a89ea9a.txt", "img": "https://archive.orkl.eu/36381ef4ea22da3c0ff129a57c9753d21a89ea9a.jpg" } }