Skip to content

LockBit & LockFile Ransomware

As you probably already know, malware is software that is specifically designed to disrupt, damage, or gain unauthorized access to a system, with the intent of stealing some type of information from that system. Ransomware is malware that aims to hold data hostage in exchange for money.

Two particularly malicious types of ransomware dominating NetSec conversations recently are LockBit & LockFile ransomware.


LockBit ransomware is “malicious software designed to block user access to computer systems in exchange for a ransom payment. LockBit will automatically vet for valuable targets, spread the infection, and encrypt all accessible computer systems on a network.” Kapersky

This ransomware is usually targeted very specifically – your workplace may be targeted because of it’s industry, but you may be targeted because you have fallen for phishing attempts in the past, or have been noticed by hackers to have poor attentiveness to social engineering red flags.

Ransomware like this shares behaviors with other established forms of targeted malware such as being self-propagating and using Windows tools to lock machine access. LockBit self-propagates by using scripts that run once a machine is infected. These scripts discover other accessible hosts connected to the infected machine, infecting entire networks without any other human action whatsoever.

LockBit Ransomware “uses tools in patterns that are native to nearly all Windows computer systems. Endpoint security systems have a hard time flagging malicious activity. It also hides the executable encrypting file by disguising it as the common .PNG image file format, further deceiving system defenses.”  Kapersky

LockBit, like many other types of ransomware, uses a three-step method to infect a network: Identify & exploit a targeted weakness, Infiltrate & observe the network, and deploy the encryption attack. This includes disabling anti-virus software and firewalls, and changing the structure of access permissions, making it extremely difficult to restore access to machines or files without actually paying the ransom.


LockFile ransomware is similar to LockBit ransomware, attacking the network in essentially the same way. LockFile uses something called “intermittent encryption”, which encrypts the first few bytes of a file, making it look statistically enough like a “safe” file in order to evade detection. Intermittent encryption encrypts only part of a file toward the beginning, making the file seem “clean” or “safe” to some ransomware detection.

Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs.

Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because: “an encrypted document looks statistically very similar to the unencrypted original,” Mark Loman, director, engineering, for next-gen technologies at Sophos, wrote in a report on LockFile” in July, 2021. ThreatPost

How can I avoid them?

Even if you don’t have a history of clicking dangerous links or downloading malicious attachments, you still may be a target for bad actors seeking to hold your data hostage.

Behaviors like shopping or accessing social media at the same times every day or week can be seen as an exploitable weakness — so even if you’ve got a clean track record, basic online habits that nearly everyone has could make you a target.

The best way to avoid becoming a victim of especially nefarious malware like this, is to be vigilant when interacting with internet communications. Your personal data has value, and that makes you a target to cybercriminals. Make sure your emails, (including things like shipping notifications and customer review requests) text messages, (including unfamiliar numbers texting you about healthcare or social security issues) mobile apps, (anything that has permission to your mobile device is a security risk) messaging services, (like Facebook, Twitter, Instagram, etc) and other similar communication methods are handled with care.

Any suspicious link or attachment could be the last thing you ever click on your device, and could invite devastating malicious attacks on any network you’re connected to. Your vigilance can save you a huge headache, and potentially your entire life savings.

OCTOBER 5, 2021
Authored here @ hello internet.