Ransomware - LockFile

LockFile
Decryptor Available
Yes
Description

LockFile has no direct descendants - there is no lineage of this ransomware. However, the threat actors referenced and copied some of their operations from well-established groups. For example, the ransom note dropped when executing the encryptor is undoubtedly copied from LockBit 2.0. They look exactly the same. Even the double extortion TOR link states that it's LockBit 2.0. Due to this, researchers believe that the threat actors behind LockFIle were LockBit 2.0 affiliates that branched off to begin their own operations. Also, AtomSilo, derived from LockFile, referenced BlackMatter on their double extortion website and Cerber for its ransom note. So, it's apparent that the threat actors behind LockFile used known tactics from others, which isn't uncommon.

Speaking of the threat actors, Microsoft and SecureWorks both attribute the threat actors to China, which could even be state-sponsored with a primary goal of intellectual property theft. Microsoft dubs them DEV-0401, and SecureWorks calls them BRONZE STARLIGHT. However, they also go by Cinnamon Tempest, Emperor Dragonfly, and SLIME34. By all accounts, these are different names for the same group. SecureWorks researchers note their persistent use of HUI Loader, a custom DLL loader used to download additional malware, against primarily Japanese organizations. On the other hand, Microsoft and Sophos extensively documented the group's leveraging of several vulnerabilities in Microsoft Exchange servers. You may have seen these vulnerabilities called by the names ProxyShell and PetitPotam. There are four known vulnerabilities leveraged by BRONZE STARLIGHT in these attacks - CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, and CVE-2021-36942.

Interestingly, the threat actors certainly stole some of LockBit 2.0 ideas, but they later altered their "lone wolf" status and became LockBit 2.0 affiliates. This is after they used a slew of different ransomware strains - LockFile, AtomSilo, Rook, NightSky, Pandora, and finally, LockBit 2.0. They frequently rebranded and also leveraged different vulnerabilities and attack tools. Even the encryptors they used were different throughout their array of ransomware strains. However, their first two were relatively the same. LockFile and AtomSilo used AES-256 to encrypt the files, then encrypted the AES-256 key with a public RSA-4096 key. Not only that, but the ransom note file names were practically the same, using the computer name and a timestamp in the file name string. Thankfully, Avast created a decryptor for AtomSilo and LockFile, which you can find at the bottom of this page.

Ransomware Type
Crypto-Ransomware
Data Broker
Country of Origin
China
First Seen
Last Seen
Threat Actors
Type
Actor
APT
BRONZE STARLIGHT
Extortion Types
Direct Extortion
Double Extortion
Free Data Leaks
Communication
Moyen
Identifiant
Tox
Encryption
Type
Hybrid
Files
AES-256
Key
RSA-4096
File Extension
<file name>.lockfile
Ransom Note Name
#COMPUTER#-LOCKFILE-README.hta
LOCKFILE-FILE-#COMPUTER#-#TIME#.hta
LOCKFILE-README.hta
LOCKFILE-README-#COMPUTER#-#TIME#.hta
Ransom Note Image
Samples (SHA-256)
2a23fac4cfa697cc738d633ec00f3fbe93ba22d2498f14dea08983026fdf128a
a926fe9fc32e645bdde9656470c7cd005b21590cda222f72daf854de9ffc4fe0
bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce
cafe54e85c539671c94abdeb4b8adbef3bde8655006003088760d04a86b5f915
The Crypto-Ransomware Digest: LockFile Ransomware