LockFile has no direct descendants - there is no lineage of this ransomware. However, the threat actors referenced and copied some of their operations from well-established groups. For example, the ransom note dropped when executing the encryptor is undoubtedly copied from LockBit 2.0. They look exactly the same. Even the double extortion TOR link states that it's LockBit 2.0. Due to this, researchers believe that the threat actors behind LockFIle were LockBit 2.0 affiliates that branched off to begin their own operations. Also, AtomSilo, derived from LockFile, referenced BlackMatter on their double extortion website and Cerber for its ransom note. So, it's apparent that the threat actors behind LockFile used known tactics from others, which isn't uncommon.
Speaking of the threat actors, Microsoft and SecureWorks both attribute the threat actors to China, which could even be state-sponsored with a primary goal of intellectual property theft. Microsoft dubs them DEV-0401, and SecureWorks calls them BRONZE STARLIGHT. However, they also go by Cinnamon Tempest, Emperor Dragonfly, and SLIME34. By all accounts, these are different names for the same group. SecureWorks researchers note their persistent use of HUI Loader, a custom DLL loader used to download additional malware, against primarily Japanese organizations. On the other hand, Microsoft and Sophos extensively documented the group's leveraging of several vulnerabilities in Microsoft Exchange servers. You may have seen these vulnerabilities called by the names ProxyShell and PetitPotam. There are four known vulnerabilities leveraged by BRONZE STARLIGHT in these attacks - CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, and CVE-2021-36942.
Interestingly, the threat actors certainly stole some of LockBit 2.0 ideas, but they later altered their "lone wolf" status and became LockBit 2.0 affiliates. This is after they used a slew of different ransomware strains - LockFile, AtomSilo, Rook, NightSky, Pandora, and finally, LockBit 2.0. They frequently rebranded and also leveraged different vulnerabilities and attack tools. Even the encryptors they used were different throughout their array of ransomware strains. However, their first two were relatively the same. LockFile and AtomSilo used AES-256 to encrypt the files, then encrypted the AES-256 key with a public RSA-4096 key. Not only that, but the ransom note file names were practically the same, using the computer name and a timestamp in the file name string. Thankfully, Avast created a decryptor for AtomSilo and LockFile, which you can find at the bottom of this page.
