A “Russian trace” was found in the new family of particularly dangerous LockFile ransomware. Researchers from Sophos have found that the virus uses the method of intermittent encryption. With this approach, not all information is encrypted on the victim’s computer, but only 16 bytes of each file.
Cybersecurity analysts have linked LockFile to “Russian hackers” from the DarkSide and BlackMatter groups, who used similar tactics in their attacks. This approach helps to avoid attention from antiviruses: for example, text files infected with this virus look like ordinary documents. However, the absence of 16 bytes of data can be critical for any financial document.
The group that uses the LockFile ransomware program has received the same name. Its appearance dates back to July of this year. In the last two months, LockFile hackers have become widely known after a series of attacks on Microsoft Exchange servers.
The BlackMatter association positions itself as the new leader of the darknet, which has replaced the Darkside and REvil groups. On hacker forums, representatives of BlackMatter have already announced their readiness to pay for access to hacked corporate networks. At the same time, one of the group members admitted that the recent withdrawal of several large hacker associations from the market is directly related to the geopolitical situation.