Ransomware Gangs Begin Using Intermittent Encryption Strategy

Cybercriminals begin adapting intermittent encryption techniques in new ransomware attacks

Cybercriminals are now devising a new method called intermittent encryption that ensures the whole data on target computer gets encrypted much faster. This nascent method works by encrypting just sections of files contained in any system under attack. Speedy data encryption reduces the chances of attack failure, antivirus detection or partial data encryption.

This intermittent encryption tactic is no less dangerous considering that it would still make infected data unrecoverable except with the use of a decryptor and private key. To explain it in detail, this particular encryption process is based on intermittently skipping every [n] bytes of a file, thereby reducing the time required to fully encrypt it and make it useless to the victim.

Also, since its encryption process is less complicated, malware detection software that identify signals released by intense file IO operations might become less efficient.

Cybercriminals promote new encryption features in hacking forums

According to a report published by SentinelLabs, the new encryption mode was started by LockFile ransomware in 2021 and was later adapted by other ransomware groups, including Black Basta, Agenda, Qyick, and PLAY. The criminals behind these threats now promote the use of intermittent encryption mode in their operations, which also helps entice others into joining their Raas operations.

Qyick is not only making use of intermittent encryption but has described its speed as unmatched. This statement was contained in a notification the malware promoters dropped in hacking forums.

However, Agenda ransomware, on its part, provides the intermittent encryption as an option that can be enabled and configured in the settings if need be. The user may choose between three encryption modes:

• Skip-step mode. Parameters ‘skip’ and ‘step’. Encrypts every ‘step’ MB of the file, skips ‘skip’ MB.
• Fast mode: Parameter ‘f’. Encrypts only the first ‘f’ MB of the file.
• Percent mode. Parameters ‘n’ and ‘p’ where p must be between 1 and 99. Encrypts every ‘n’ MB of the file, skips ‘p’ MB, where ‘p’ means ‘p’ % of total file size.

This pattern is also similar to BlackCat as they enable configuration choices in order to create a byte-skipping algorithm. There is also an option to encrypt only the initial bytes of any given file, also use a dot pattern, or encrypt certain percentage of file blocks. In addition to that, its auto mode is configured to combine several modes to achieve a more complicated result.

The recent high-profile PLAY ransomware attack on the Argentina’s Judiciary also used intermittent encryption. Note that PLAY does not offer configuration options but rather checks the file size and divides the file into as many as 3 to 5 chunks and encrypts every second chunk.

Lastly, Black-Basta doesn’t enable modes to be selected. The malware decides what to do according to the file size. For files not exceeding 704 bytes in size, it encrypts the whole data. However, for files between 704 bytes and 4 KB, it locks 64 bytes, skips 192 bytes, then again 64 bytes and so on.

If the file size exceeds 4 KB, Black-Basta ransomware reduces the unaffected byte intervals to 128 bytes while the encrypted sections still remain at 64 bytes.

Intermittent encryption to be seen in more ransomware attacks

From what we have deduced so far, intermittent encryption has huge advantages and probably no significant drawback. Therefore, an increasing number of cybercriminals are likely to join the bandwagon in the future. Speed is one of the most important factors to ransomware operators, as they seek to lock large data amounts unnoticed.

At the moment, LockBit’s version appears to have the fastest encryption speed, so if cybercriminals decide to make use of the partial encryption method, the time required to make victim’s files inaccessible would be shortened even more.

Nevertheless, cybercriminals understand that encryption must be complex enough to prevent independent decryption regardless of whether intermittent encryption was used or not. So far, BlackCat format seems to be highly sophisticated while new Qyick samples, on the other hand, haven’t been analyzed by malware researchers yet.

Computer users and companies should take action to implement required cybersecurity measures. A good start would be installing a robust antivirus engine, configuring a firewall and ensuring that secure RDP credentials are used.