{
	"id": "a869eecf-02c6-44c3-aedc-fc2eeadcfaa9",
	"created_at": "2026-04-06T00:16:48.01989Z",
	"updated_at": "2026-04-10T03:21:45.022286Z",
	"deleted_at": null,
	"sha1_hash": "897d09906ded9cfed627a5f0cd5c2e05bbb2d247",
	"title": "LockFile ransomware uses intermittent encryption to evade detection",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 48366,
	"plain_text": "LockFile ransomware uses intermittent encryption to evade\r\ndetection\r\nBy Lucian Constantin\r\nPublished: 2021-08-30 · Archived: 2026-04-05 21:53:44 UTC\r\nA new ransomware threat called LockFile has been victimizing enterprises worldwide since July. Key to its\r\nsuccess are a few new tricks that make it harder for anti-ransomware solutions to detect it.\r\nThe threat uses what researchers from antivirus vendor Sophos call “intermittent encryption,” meaning it only\r\nencrypts chunks of data inside a file instead of its complete contents. This speeds the encryption process, or better\r\nsaid data corruption process, significantly but also tricks ransomware protection systems that rely on statistical\r\nanalysis to detect potentially unauthorized file encryption.\r\nLockFile built with evasion in mind\r\nLockFile uses multiple techniques designed to evade detection, starting with its own executable file which is both\r\npacked and malformed. The first section of the file is full of zeroes and is followed by a second section that\r\ncontains encoded data. Three functions located at the end decode the data from the second section, place it into the\r\nfirst section, and then jump to that code to execute it. The goal of this routine is to throw off endpoint protection\r\nsoftware that monitors file execution.\r\nThe malware then leverages the Windows Management Interface (WMI) to scan for and kill important processes\r\nassociated with business applications including Hyper-V virtual machines, Oracle VM Virtual Box manager,\r\nOracle VM Virtual Box services, Microsoft SQL Server, MySQL database, Oracle MTS Recovery Service, Oracle\r\nRDBMS Kernel, Oracle TNS Listener and VMware virtual machines.\r\nThe goal of killing these processes is to remove any system locks put on databases, virtual machines, or\r\nconfiguration files put by those applications so that the ransomware can encrypt them. By leveraging the WMI,\r\nthe processes will appear to be terminated by the system itself, not by the ransomware executable. This is another\r\ndetection evasion technique that is also designed to complicate incident response.\r\nAnother noteworthy trick is the way in which LockFile performs operations on files. The malware doesn’t directly\r\nmodify files on disk, but maps them into the system’s RAM memory first, performs the modifications there and\r\nthen relies on the Windows System process to commit the modifications to disk.\r\nTo a behavior monitoring product, this will appear as input/output (I/O) operations performed by the OS itself, not\r\nby a potentially suspicious process. It will also happen with a delay that can range from seconds to minutes,\r\ndepending on how busy the disk is.\r\nLockFile is not the first ransomware threat to use memory mapped I/O. Maze and WastedLocker have also used\r\nthis technique, but it is not very common, Mark Loman, Sophos’s director of engineering for Next-Gen\r\nhttps://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html\r\nPage 1 of 3\n\nTechnologies, said in a blog post.\r\nIntermittent encryption\r\nThe use of intermittent encryption, however, is a new development that the Sophos researchers have not seen\r\nbefore in ransomware. Other threats like LockBit 2.0, DarkSide and BlackMatter have used partial encryption,\r\nencrypting only the beginning of documents to speed the process, but LockFile’s approach is different and\r\nsignificant.\r\nFrom a security perspective, incomplete encryption is bad because it leaves data exposed, but the goal of\r\nransomware is not data privacy. It is controlled and reversible data corruption that just uses encryption as a tool.\r\nTherefore, ransomware doesn’t need to encrypt the full contents of files but just enough to make them unusable to\r\nthe user, which is what LockBit 2.0, DarkSide and BlackMatter achieve by encrypting the starting portion of files.\r\nLockFile’s approach, however, is to encrypt every other 16 bytes of a file. So, the resulting files will contain 16\r\nbytes of scrambled data, followed by 16 bytes of untouched original data, followed by another 16 bytes of\r\nscrambled data and so on. This process is not as fast as encrypting just the starting portion but has another benefit:\r\nIt skews statistical analysis.\r\nSome ransomware detection programs use statistical analysis tests to detect if a file modification is the result of\r\nfile encryption. If the test indicates that a file has been encrypted, the program will block the process from\r\nmodifying additional files.\r\nThis works because encrypted files, which are made up of random data, look very different from an unencrypted\r\nfile to statistical analysis. One of the tests commonly used to detect statistically significant differences in data is\r\ncalled the chi-squared (chi^2) test.\r\n“An unencrypted text file of 481KB (say, a book) has a chi^2 score of 3850061. If the document was encrypted by\r\nDarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been\r\nencrypted,” Loman explained. “If the same document is encrypted by LockFile ransomware, it would still have a\r\nsignificantly high chi^2 score of 1789811.” In other words, if a detection program is calibrated by its creators to\r\nonly detect and act on very big statistical differences to avoid false positives, it could miss the encryption\r\nperformed by LockFile.\r\nThe last trick in LockFile’s playbook is to delete itself after finishing the encryption process. This can frustrate\r\nincident response because responders will search for a ransomware binary to analyze and clean off the system.\r\nLockFile distribution\r\nThe LockFile ransomware has been distributed by exploiting a series of vulnerabilities in Microsoft Exchange\r\nservers known collectively as ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207). Patches\r\nfor these vulnerabilities have been available since April and May, but despite being more serious and easier to\r\nexploit than the ProxyLogon vulnerability exploited to install web shells on Exchange servers, they have not\r\nreceived the same level of attention. As a result, many organizations have not patched their servers.\r\nhttps://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html\r\nPage 2 of 3\n\nThe group behind the ransomware is also leveraging an NTLM relay attack known as PetitPotam to gain access to\r\ndomain controllers inside corporate networks.\r\nSource: https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html\r\nhttps://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html"
	],
	"report_names": [
		"lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434608,
	"ts_updated_at": 1775791305,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/897d09906ded9cfed627a5f0cd5c2e05bbb2d247.pdf",
		"text": "https://archive.orkl.eu/897d09906ded9cfed627a5f0cd5c2e05bbb2d247.txt",
		"img": "https://archive.orkl.eu/897d09906ded9cfed627a5f0cd5c2e05bbb2d247.jpg"
	}
}