Proactive Measures Can Protect Against Intermittent Encryption

Threat operators continue to exhibit their cunning and competence in evading companies’ defenses’ cybersecurity arsenals. A growing form of ransomware, intermittent encryption, is avoiding cybersecurity technologies, including endpoint security, extended detection and response (XDR), and other security measures. By encrypting an entire file, ransomware threat operators are confronted with two major challenges: the time it takes for malware to encrypt data and the ease of identifying ransomware when an entire file is encrypted. Additionally, intermittent encryption is a stealthy strategy that employs specialized algorithms to conceal their behavior by encrypting small portions of a file and switching data alterations between sections while skipping others. The process makes it less visible to ransomware detection software and renders the entire file unreadable.

The faster victims can decrypt their data, the more financially viable paying the ransom becomes. Ransomware is a thriving industry and cybercriminals profit from intermittent encryption. Companies won’t pay the ransom if they know their data can’t be easily recovered. However, if threat operators can speed up the decryption process, it might be financially beneficial for victims to pay threat operators instead of spending time, effort, and money to recover from backups.

Malware can easily exploit systems by encrypting entire files. Encrypting small file blocks is stealthier than encrypting an entire file and takes less time for attacks to be completed. Time is threat operators’ enemy and encrypting a gigabyte or terabyte of data can take longer than encrypting a few 10-megabyte blocks. Because intermittent encryption only affects small portions of files, malware basically mimics how legitimate software operates by changing small file blocks. One example is that if legitimate files are using compressed blocks and one of the blocks becomes corrupted, the entire file becomes unreadable. Even though a portion of a file is altered by ransomware, the entire file will be rendered unusable. Because the file structures remain intact, security tools have a more difficult time determining whether the file is encrypted or properly altered.

Proactive Measures To Prevent Intermittent Encryption

Recently, intermittent encryption has grown more common as threat operators are using various automated implementations through ransomware-as-a-service (RaaS). RaaS is a subscription service model that allows threat operator affiliates to use pre-built ransomware tools to carry out their operations. LockFile and Qyick are ransomware variants that use intermittent encryption. Others include Agenda ransomware, which has three different intermittent encryption modes. While others divide files into pieces and encrypt the sections using different patterns.

To detect unusual malicious activities, modern ransomware detection tools use behavioral analysis. Even though this is a science, it requires a balance ensuring that cybersecurity solutions won’t lock down applications to the point of rendering them unusable. Defending companies require multilayered cybersecurity to combat ransomware attacks. Employees need to be trained and educated on how to avoid downloading dangerous files from unknown websites, opening suspicious email attachments from unknown senders, and clicking on links that may contain malicious files. Although it’s obvious to keep EDR, XDR, and other security tools updated, new malware variants are released into the wild daily, and updating the solutions will not help capture every unknown variant.

Endpoint security products receive unknown viruses, and all security products must determine whether the software is safe or dangerous. If security is overly strict, both good and bad applications will be impacted. It requires fine-tuning and balancing science and knowledge gathered from behavioral observation. Entropy analysis is used by ransomware detection products to assess the overall statistical variation in malware. This can assist analysts in quickly identifying encrypted compressed files. Encrypted data has constant noise levels, making it mathematically easy to detect. Another method for detecting ransomware is to examine the file format magic number, which is a fixed integer used to identify a file type. The first few bytes of a file that develop a numeric or string constant indicating a file type are known as a magic number. Malware detection software can check the magic number to see if it has been altered from valid to random file types. When ransomware employs intermittent encryption, the detection algorithms are rendered ineffective.

Clients can quickly become comfortable, believing they have all the cybersecurity capabilities required, which can lead to disaster. Companies need to believe that there’s always something they can do to defend their assets. The most significant impediment to properly securing companies’ data and systems is a false belief that their cyber walls are powerful enough to prevent attacks. It’s preferable to believe that their security postures aren’t enough and require continuous monitoring and adaptation.

With intermittent encryption becoming a growing ransomware threat, it’s important for companies to remain vigilant of the current threat landscape and take proactive measures to defend against future cyberattacks. At SpearTip, our SOC team engages with companies’ people, processes, and technology to measure the maturity of the technical environment. Our extensive experience responding to thousands of security incidents improves companies’ operational, procedural, and technical control gaps based on security standards. Our engineers discover blind spots in companies that can lead to significant compromises by comparing technology and internal personnel. Our ShadowSpear Threat Hunting is a critical pre-breach step that allows our engineers to evaluate the effectiveness of current security measures to determine the overall health of environments and prevent future breaches.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.