Upon adoption, the malware of ransomware groups is tuned to encrypt only parts of targeted files, thereby reducing the encrypting time – while also making the files useless with half corruption and decryptable only with a specific key. With several advantages, researchers warn that more ransomware groups may adopt them for better operations.
Intermittent Encryption Technique
With the antivirus software upping their technology to detect malicious activities better, threat actors, especially the ransomware groups, are enhancing themselves too in the game. In this pursuit, Sentinel Labs researchers have detected that several ransomware groups are adopting a new technique called intermittent encryption that’d make their encryption process faster and better undetectable. For example, any ransomware gang adopting this technique will only encrypt parts of the targeted files (say skipping every other 16 bytes of a file) in a victim’s system. This will reduce the time required for full encryption while also making the files useless until recoverable by a decryption key. And since this process is milder than the actual encryption method, automated detection tools that only scan for intense file IO operations may pass, flagging the operation. Started by LockFile in mid-2021, researchers noted that several other ransomware groups like Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick have already adopted this. And since this intermittent encryption is highly sophisticated with very few downsides, more ransomware groups may add this to their malware. Also, this can be used as one of the many niches to attract affiliates by ransomware groups. Right now, LockBit has the fastest encryption process with its tuned algorithm. And if they adopt this technique, the total encryption time of the victim’s files could be reduced to minutes! Although, it has to be done properly to cater to expected results.