Ransomware Gangs Switching To New Intermittent Encryption Tactic
Ransomware groups are adopting a new tactic that helps them encrypt their victims’ systems faster while making it harder for defenders to detect them.
The name of this tactic is intermittent encryption. One is the main characteristic of this exploit is encrypting a fraction of the targeted file. As a result, the data will be unrecoverable without using a valid descriptor+key.
For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.
Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.
What Top Famed Hackers Use
SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Quick.
These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.
Notably, Quick features intermittent encryption, which is what the cool kids are using as you read this.
BlackCat’s implementation of intermittent encryption also gives operators configuration choices in the form of various byte-skipping patterns.
For example, the malware can encrypt only the first bytes of a file, follow a dot pattern, a percentage of file blocks, and also has an “auto” mode that combines multiple modes for a more tangled result.
Intermittent Encryption Outlook And Sophistication
Intermittent encryption seems to have significant advantages and virtually no downsides, so security analysts expect more ransomware gangs to adopt this approach shortly.
LockBit’s strain is already the quickest out there in terms of encryption speeds, so if the gang adopted the partial encryption technique, the duration of its strikes would be reduced to a couple of minutes.
Of course, encryption is a complex matter, and hackers must implement intermittent encryption correctly to ensure that it won’t result in easy data recoveries by the victims.
Right now, BlackCat’s implementation is the most sophisticated, while that of Quick remains unknown since malware analysts have not yet analyzed samples of the new RaaS.