Ransomware Gangs Adopt New Intermittent Encryption Tactics
Reading Time: 2 minutes

Ransomware gangs adopt new intermittent encryption tactics that help them encrypt systems faster and increase their chance to avoid detection, leading to a growing number of ransomware groups adopting it.

Intermittent encryption is the tactic of encrypting some of the targeted files’ content. This renders the data unrecoverable without using a valid decryptor+key.

A good example is to skip every other 16 bytes of a file. The encryption process for this takes one-half time than full encryption, but still blocks all access to the contents.

Additionally, the encryption is milder so automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.

What the so called Cool Kids use?
A trend started by LockFile in 2021 has been adopted by Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.

These groups actively promote their ransomware, and some even use intermittent encryption.

According to Qyick’s advertisement on hacking forums, their encryption is “intermittent” and their AI is written in Go, which allows it to be faster than other AI.qyick-promo

Agenda is configurable, partially encrypted, with three variable encryption modes such as

  • skip-step [skip: N, step: Y] – Encrypt every Y MB of the file, skipping N MB.
  • fast [f: N] – Encrypt the first N MB of the file.
  • percent [n: N; p:P] – Encrypt every N MB of the file, skipping P MB, where P equals P% of the total file size.

The implementation of intermittent encryption and byte skipping patterns give operators a variety of configuration choices.

Malware can encrypt only the first bytes of a file, follow a dotted pattern or encrypt your entire file. The auto mode encrypts multiple files at once.

Ransomware is becoming so prolific that even countries such as Argentina have been targeted. Ransomware emerges via high-profile attacks and targets intermittent encryption.

PLAY is a file encryption program with no configuration options. Instead, it breaks the file into parts and encrypts every other chunk of data.

Black Basta doesn’t allow operators to set modes, and instead automatically chooses the best mode based on file size.

It encrypts all the small files under 704 bytes, but for larger files below 4Kb it only encrypts 64 bytes and skips 192 bytes in between.

The black basta ransomware will encrypt a file, leaving it at 64 bytes while making untouched spaces 128 bytes.

How different devices use intermittent encryption connections?
Ransomware gangs are beginning to use intermittent encryption, which appears to have significant advantages and no downsides.

The LockBit strain of encryption is the quickest around, meaning that if the gang adopted the partial encryption technique, it would be reduced to a couple of minutes.

Intermittent encryption is a complicated topic, but implementing it correctly is crucial to ensure victims can’t access their stolen data.

The RaaS, Qyick has not been analyzed by malware analysts because it is new, while BlackCat’s implementation is the most advanced.

Related Articles:
Cryptocurrency Worth $30 Million Stolen by North Korean-linked Lazarus Group Seized by US Authorities
Multiple Security Vulnerabilities With Baxter’s Internet-Connected Infusion Pumps
Think Like a Hacker to Protect your Digital Life