Chris Swagler | September 14th, 2022

Numerous ransomware groups are utilizing a new method that increases the encryption process on victims’ systems while decreasing the likelihood of being detected and stopped. The technique, known as intermittent encryption, encrypts only a portion of the content of the targeted files, rendering the data unrecoverable without using a valid decryptor key. According to researchers, intermittent encryption is being heavily promoted to buyers and affiliates and is able to confuse the statistical analysis used by security tools to detect ransomware activities. This threat tactic once again demonstrates the need for human eyes-on-glass 24x7x365 from a Security Operations Center.

The encryption process takes half of the time required for full encryption because it skips every other 16 bytes of a file but permanently locks the content. Additionally, because the encryption is less strict, automated detection tools that depend on looking for warning signs in intense file IO operations are likely to fail.

A report is examining a trend LockFile started in 2021 and now other ransomware groups, including Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick are utilizing the method. To entice affiliates to join the RaaS operation, the ransomware groups actively promote the presence of intermittent encryption features in their ransomware family. According to a Qyick advertisement posted on threat forums, Qyick uses the intermittent encryption process with unmatched speed because it’s written in Go language. As an optional and configurable feature, Agenda ransomware offers intermittent encryption. The following are the three possible partial encryption modes:

Additionally, BlackCat implementing intermittent encryption provides operators with configuration options using various byte-skipping patterns. Using a dot pattern, the malware can encrypt only the first bytes of a file, or a percentage of file blocks and uses an “auto” mode that combines numerous modes for more tangled results.

The recent appearance of PLAY ransomware through a high-profile attack using the speed of intermittent encryption against Argentina’s Cordoba Judiciary. However, Play ransomware doesn’t provide configuration options; depending on file size, it divides the file into 2,3, or 5 chunks, and encrypts every other chunk. One of the biggest names in the space, Black Basta doesn’t allow operators to choose between modes, as its strain determines what to do based on file size. It encrypts all content in small files under 704 bytes in size and encrypts 64 bytes skipping 192 bytes between 704 bytes and 4 kb files. Black Basta’s ransomware reduces the space size of untouched intervals to 128 bytes if the file exceeds 4 kb in size, while the encrypted portion remains 64 bytes.

Intermittent encryption appears to have advantages and few downsides, so security analysts anticipate that more ransomware groups will implement this method in the near future. In terms of encryption speeds, LockBit’s strain is the fastest available. If the LockBit ransomware group used partial encryption, its strike duration would be reduced to minutes. For ransomware groups, encryption can be complex, and the group will attempt to use intermittent encryption to ensure that victims won’t be able to recover their data. BlackCat is the most sophisticated ransomware group when it comes to implementing intermittent encryption, while the Qyick ransomware group is still unknown because malware analysts haven’t analyzed samples of the new RaaS yet.

With the significant benefits to threat actors using intermittent encryption processes, more ransomware groups will continue to adopt this method. It’s important for companies to always remain ahead of the current threat landscape and utilize a cybersecurity company that’s constantly adapting to new trends, including the intermittent encryption process. At SpearTip, our certified engineers handle companies’ cyber incident response and get them back up and running in record time following a serious breach. Our Security Operations Center is working 24/7/365 in a continuous investigative cycle monitoring companies’ data networks for potential ransomware threats. The ShadowSpear Platform, our cutting-edge integrable managed detection response solution, detects sophisticated unknown and advanced threats with comprehensive insights using unparalleled visualizations.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.