Lockfile

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
LockFile is a type of malicious software, or malware, that has been linked to ransomware activity. This harmful program can infiltrate your system via suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold your data for ransom. Analysis of the PlugX sample, which is associated with LockFile, suggests that it may be connected to Chinese threat group activity. Other samples such as HUI Loader, which loads the Cobalt Strike Beacon, have also been linked to LockFile. The links between LockFile, HUI Loader, and a specific sub-version of PlugX suggest that the threat group responsible for the ransomware activity connected to HUI Loader may have access to malware developed by Chinese government-sponsored groups. LockFile operates as a traditional ransomware scheme under the operation of BRONZE STARLIGHT, but has adopted a name-and-shame model for other ransomware operations. Notably, some types of ransomware, including LockFile, only partially encrypt a file, especially if it is very large. This method of intermittent encryption is used to evade detection. Furthermore, LockFile has been observed using the PetitPotam exploit to compromise Windows Domain Controllers, adding another layer of complexity to its operations. To combat this threat, Avast has released a decryptor tool specifically designed for Atom Silo and LockFile ransomware. Heimdal™ Security also offers an integrated cybersecurity suite featuring a Ransomware Encryption Protection module that is universally compatible with any antivirus solution. This module is 100% signature-free, ensuring superior detection and remediation of any type of ransomware, including recent ones like LockFile. Despite these countermeasures, the exact number and nature of LockFile victims remain unclear.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Atomsilo
1
AtomSilo is a type of malware that has been linked to several other ransomware families including LockFile, Rook, Night Sky, and Pandora. This connection was revealed through the analysis of Cobalt Strike Beacon samples loaded by HUI Loader. CTU analysis suggests that these five ransomware families
Night Sky
1
Night Sky is a potent form of malware that has been linked to several significant ransomware activities, including LockFile, AtomSilo, Rook, and Pandora. Analysis of the Cobalt Strike Beacon samples loaded by HUI Loader has revealed a connection between AtomSilo, Night Sky, and Pandora ransomware, s
PlugX
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Rook
1
Rook is a malicious software (malware) linked to several ransomware activities, including LockFile, AtomSilo, Night Sky, and Pandora. These activities are associated with the deployment of HUI Loader, which has been used in loading Cobalt Strike Beacon. A CTU analysis revealed that these five ransom
Bronze Starlight
1
Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze Starlig
Babuk
1
Babuk is a type of malware, specifically ransomware, which is designed to infiltrate systems and hold data hostage for ransom. It can be delivered through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside a system, Babuk can disrupt operations and steal perso
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Encryption
Malware
Loader
Cybercrime
Extortion
Windows
Antivirus
Encrypt
Exploit
Atom
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Cobalt Strike BeaconUnspecified
1
Cobalt Strike Beacon is a type of malware known for its harmful capabilities, including stealing personal information, disrupting operations, and potentially holding data hostage for ransom. The malware has been loaded by HUI Loader through various files such as mpc.tmp, dlp.ini, vmtools.ini, and an
RyukUnspecified
1
Ryuk is a sophisticated malware, specifically a ransomware variant, that has been extensively used by cybercriminal group ITG23. The group has been employing crypting techniques for several years to obfuscate their malware, with Ryuk often seen in tandem with other malicious software such as Trickbo
Pandora RansomwareUnspecified
1
Pandora ransomware is a type of malware that has been connected to several other malicious software strains, including AtomSilo, Night Sky, and Rook. Researchers from CTU identified code overlap between the updated HUI Loader samples and Pandora ransomware, suggesting a common origin or shared devel
Black BastaUnspecified
1
Black Basta is a notorious malware entity known for its devastating ransomware attacks. First emerging in June 2022, the group has since been associated with a series of high-profile cyber-attacks worldwide. This malware, like others, infiltrates systems through suspicious downloads, emails, or webs
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
BlackmatterUnspecified
1
BlackMatter is a recognized threat actor in the cybersecurity industry, notorious for its malicious activities and the execution of ransomware attacks. The group initially operated as DarkSide, responsible for the high-profile Colonial Pipeline attack in May 2021, which led to significant attention
AlphvUnspecified
1
AlphV, also known as BlackCat, is a notable threat actor in the cybersecurity landscape. This group has been involved in numerous high-profile attacks, including stealing 5TB of data from Morrison Community Hospital and compromising Clarion, a global manufacturer of audio and video equipment for car
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2021-44228Unspecified
1
CVE-2021-44228, also known as the Log4j vulnerability, is a software flaw found in Apache Log4j, a widely used logging utility. Despite multiple attempts by Advanced Persistent Threat (APT) actors to exploit this vulnerability in the ServiceDesk system, these efforts were unsuccessful. However, it b
Source Document References
Information about the Lockfile Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
7 months ago
RotaJakiro: A long live secret backdoor with 0 VT detection
CERT-EU
8 months ago
How does Ransomware work? - Ransomware Help & Tech Support
CERT-EU
a year ago
What Is Double Extortion Ransomware?
Secureworks
a year ago
BRONZE STARLIGHT Ransomware Operations Use HUI Loader
CERT-EU
a year ago
200+ Free Ransomware Decryption Tools You Need [2022 List]
DARKReading
a year ago
Free Tool Unlocks Some Encrypted Data in Ransomware Attacks