Contents
Cybercriminals are now devising a new method called intermittent encryption that ensures the whole data on target computer gets encrypted much faster. This nascent method works by encrypting just sections of files contained in any system under attack. Speedy data encryption reduces the chances of attack failure, antivirus detection or partial data encryption.
This intermittent encryption tactic is no less dangerous considering that it would still make infected data unrecoverable except with the use of a decryptor and private key. To explain it in detail, this particular encryption process is based on intermittently skipping every [n] bytes of a file, thereby reducing the time required to fully encrypt it and make it useless to the victim.
Also, since its encryption process is less complicated, malware detection software that identify signals released by intense file IO operations might become less efficient.
According to a report published by SentinelLabs, the new encryption mode was started by LockFile ransomware in 2021 and was later adapted by other ransomware groups, including Black Basta, Agenda, Qyick, and PLAY. The criminals behind these threats now promote the use of intermittent encryption mode in their operations, which also helps entice others into joining their Raas operations.
Qyick is not only making use of intermittent encryption but has described its speed as unmatched. This statement was contained in a notification the malware promoters dropped in hacking forums.
However, Agenda ransomware, on its part, provides the intermittent encryption as an option that can be enabled and configured in the settings if need be. The user may choose between three encryption modes:
This pattern is also similar to BlackCat as they enable configuration choices in order to create a byte-skipping algorithm. There is also an option to encrypt only the initial bytes of any given file, also use a dot pattern, or encrypt certain percentage of file blocks. In addition to that, its auto mode is configured to combine several modes to achieve a more complicated result.
The recent high-profile PLAY ransomware attack on the Argentina’s Judiciary also used intermittent encryption. Note that PLAY does not offer configuration options but rather checks the file size and divides the file into as many as 3 to 5 chunks and encrypts every second chunk.
Lastly, Black-Basta doesn’t enable modes to be selected. The malware decides what to do according to the file size. For files not exceeding 704 bytes in size, it encrypts the whole data. However, for files between 704 bytes and 4 KB, it locks 64 bytes, skips 192 bytes, then again 64 bytes and so on.
If the file size exceeds 4 KB, Black-Basta ransomware reduces the unaffected byte intervals to 128 bytes while the encrypted sections still remain at 64 bytes.
From what we have deduced so far, intermittent encryption has huge advantages and probably no significant drawback. Therefore, an increasing number of cybercriminals are likely to join the bandwagon in the future. Speed is one of the most important factors to ransomware operators, as they seek to lock large data amounts unnoticed.
At the moment, LockBit’s version appears to have the fastest encryption speed, so if cybercriminals decide to make use of the partial encryption method, the time required to make victim’s files inaccessible would be shortened even more.
Nevertheless, cybercriminals understand that encryption must be complex enough to prevent independent decryption regardless of whether intermittent encryption was used or not. So far, BlackCat format seems to be highly sophisticated while new Qyick samples, on the other hand, haven’t been analyzed by malware researchers yet.
Computer users and companies should take action to implement required cybersecurity measures. A good start would be installing a robust antivirus engine, configuring a firewall and ensuring that secure RDP credentials are used.
Matt Corey is passionate about the latest tech news, gadgets and everything IT. Matt loves to criticize Windows and help people solve problems related to this operating system. When he’s not tinkering around with new gadgets he orders, he enjoys skydiving, as it is his favorite way to clear his mind and relax.
EEMV ransomware virus release and what it can do to your PC EEMV ransomware is…
EEWT ransomware seeks to extort computer users after encrypting all of their files EEWT ransomware…
MMVB ransomware virus and why your computer should be protected MMVB ransomware is a new…
MMDT ransomware is a dangerous menace to your computer and data stored on it MMDT…
MMPU ransomware seeks to extort computer users after taking personal files hostage MMPU ransomware is…
OOPU ransomware overview and how it affects files on your computer OOPU ransomware is a…
This website uses cookies.