RISKS

What happened

Ransomware developers are increasingly using intermittent encryption in a concerning trend first used by one of the large ransomware families – LockFile – in 2021.

What is “intermittent encryption”? It is a method of encryption that only encrypts parts of targeted files, in a specified pattern determined by the developer, that would still render the victim’s data unrecoverable without a decryption key.

Sentinel Labs posted a report explaining why this tactic is attractive to malware users. “Intermittent encryption is important to ransomware operators from two perspectives:

Speed: Encryption can be a time-intensive process and time is crucial to ransomware operators – the faster they encrypt the victims’ files, the less likely they are to be detected and stopped in the process. Intermittent encryption does irretrievable damage in a very short time frame.

Evasion: Ransomware detection systems may use statistical analysis to detect ransomware operation. Such an analysis may evaluate the intensity of file IO operations or the similarity between a known version of a file, which has not been affected by ransomware, and a suspected modified, encrypted version of the file. In contrast to full encryption, intermittent encryption helps to evade such analyses by exhibiting a significantly lower intensity of file IO operations and much higher similarity between non-encrypted and encrypted versions of a given file.

Knowing intermittent encryption is faster and less detectable, many ransomware developers – including Black Basta, ALPHV (BlackCat), PLAY, Agenda and Qyick; are now adopting this new tactic. In fact, they “actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation,” according to an article published by Bleeping Computer.

Qyick, a new commercial ransomware spotted in August 2022, is written in Go language. Sentinel Labs reports, “Notably Qyick features intermittent encryption which is what the cool kids are using as you read this. Combined with the fact that it is written in Go, the speed is unmatched.”

Agenda ransomware is being used primarily to target healthcare and education organizations in Africa and Asia. This ransomware allows you to customize the list of processes and services to terminate and supports several encryption modes including; skip-step, fast, and percent.

BlackCat allows operators to choose between encrypting the first bytes of a file, a percentage of the files, follow a dot pattern, or use a combination of all 3 encryption methods.

BlackBasta and Play don’t allow specific configurations, but instead intermittently encrypt based on file size.

Data encryption is complex and intermittent encryption needs to be done properly to ensure targeted files are not easily recoverable. However, given the speed of use and lesser detectability, security analysts expect this trend to continue and other ransomware developers to adopt this approach.

Why is this important?

This makes it easier to deploy ransomware than ever, which only adds to the considerable growth of ransomware attacks in recent years.

What does this mean to me?

This magnifies even more the importance to be prepared for a ransomware attack. That includes a combination of updated antivirus software, applying software updates and patches promptly, avoiding the use of personal applications and training employees and third parties, among other measures.

APPROACHES

Helpful Controls

Commonality of attack

High

HALOCK Security Briefing Archives: Updates on cybersecurity trends, threats, legislation, reasonable security, and more that impact your risk management program.

SCHEDULE YOUR FULL HALOCK SECURITY BRIEFING