A growing number of ransomware groups are adopting a new tactic that helps them encrypt their victims' systems faster while reducing the chances of being detected and stopped.
This tactic is called intermittent encryption, and it consists of encrypting only parts of the targeted files' content, which would still render the data unrecoverable without using a valid decryptor+key.
For example, by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good.
Additionally, because the encryption is milder, automated detection tools that rely on detecting signs of trouble in the form of intense file IO operations are more likely to fail.
"What the cool kids use."
SentinelLabs has posted a report examining a trend started by LockFile in mid-2021 and now adopted by the likes of Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick.
These groups actively promote the presence of intermittent encryption features in their ransomware family to entice affiliates to join the RaaS operation.
"Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this. Combined with the fact that is written in Go, the speed is unmatched," describes a Qyick advertisement on hacking forums.
Agenda ransomware offers intermittent encryption as an optional and configurable setting. The three possible partial encryption modes are:
- skip-step [skip: N, step: Y] - Encrypt every Y MB of the file, skipping N MB.
- fast [f: N] - Encrypt the first N MB of the file.
- percent [n: N; p:P] - Encrypt every N MB of the file, skipping P MB, where P equals P% of the total file size.
BlackCat's implementation of intermittent encryption also gives operators configuration choices in the form of various byte-skipping patterns.
For example, the malware can encrypt only the first bytes of a file, follow a dot pattern, a percentage of file blocks, and also has an "auto" mode that combines multiple modes for a more tangled result.
The recent emergence of the PLAY ransomware via a high-profile attack against Argentina's Judiciary of Córdoba was also backed by the rapidness of intermittent encryption.
PLAY doesn't give configuration options, but instead, it just breaks the file into 2, 3, or 5 chunks, depending on the file size, and then encrypts every other chunk.
Finally, Black Basta, one of the biggest names in the space at the moment, also doesn't give operators the option to pick among modes, as its strain decides what to do based on the file size.
For small files below 704 bytes in size, it encrypts all content. For files between 704 bytes and 4 KB, it encrypts 64 bytes and skips 192 bytes in between.
If the file size exceeds 4 KB, Black Basta's ransomware reduces the space size of untouched intervals to 128 bytes, while the size of the encrypted portion remains 64 bytes.
Intermittent encryption outlook
Intermittent encryption seems to have significant advantages and virtually no downsides, so security analysts expect more ransomware gangs to adopt this approach shortly.
LockBit's strain is already the quickest out there in terms of encryption speeds, so if the gang adopted the partial encryption technique, the duration of its strikes would be reduced to a couple of minutes.
Of course, encryption is a complex matter, and the implementation of intermittent encryption must be done correctly to ensure that it won't result in easy data recoveries by the victims.
Right now, BlackCat's implementation is the most sophisticated, while that of Qyick remains unknown since malware analysts have not yet analyzed samples of the new RaaS.
Comments
h_b_s - 1 year ago
Some of these encryptors only encrypt the first 4kbytes of a file as well. Might be enough for some databases to fail to recognize a data file, but there's plenty of data types where the program that reads it may ignore the encrypted area since it only trashed the header, like larger text files, some image files, etc.
One of the ways to foil all these people's intentions is to start putting more robust file read algorithms into play that can ignore a certain amount of file corruption, intentional and otherwise, and keep going.
Naturally the gangs will adapt to those changes, but data security and integrity is always a game of cat and mouse. Robust file read integrity is just one more tool in data defense.
ThomasMann - 1 year ago
There will not be much more of cat and mouse, once quantum computers will bcome available. Now, there already was an article here about the problem, yet nowhere is there any follow up to this most certainly coming desaster. And it is not just about malware and ransomgangs.
INTERNET BaNKING WILL NO LONGER BE POSSIBLE, and as "analog" banking will not be possible, because of the greed that made banking corporation dismantle all that would be needed... What is going to happen the day, when the first bank will have been robbed completely with that new hardware?
KillahBee - 1 year ago
If only a massive, multi-country, multi-discipline task force had been created 6+ years ago to create new encryption protocols that are quantum resistant... Oh wait, NIST did that, and already has 'post-quantum' ciphers/protocols ready to use today. Did you really think you had some special insight into an impending doomsday that no one else was privy to?
Future Quantum computers will be able to find prime factors with relative ease, but it's not like large primes/elliptic curves are the only way to encrypt data... Look up CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON and SPHINCS+. Your world's gonna be rocked.
Audreyyyy - 1 year ago
Bill you are one the top Marketing Expert I've ever so in bleeping computers your articles are amazing.
https://www.bleepingcomputer.com/news/security/hackers-steal-steam-accounts-in-new-browser-in-the-browser-attacks/