The LockFile malware is different from most ransomware. LockFile intermittently encrypts files to evade the appearance of wrong doing from security tools that monitor systems.
Symantec reported on August 20 that LockFile had been targeting organizations in the “manufacturing, financial services, engineering, legal, business services, and travel and tourism sectors” since at least July 20. But the company offered limited information about how LockFile spread or how it actually encrypted victims’ files.
Sophos revealed other tricks LockFile uses to evade detection, including deleting itself to make it more difficult to analyze, but the use of intermittent encryption is what makes the ransomware unique. The best way to protect a server from LockFile is to patch the ProxyShell vulnerabilities and defend against the PetitPotam attack.