Hackers Utilize New Intermittent Encryption
Since the start of 2022, cyber security firms are fiercely catching up to hackers across the world. Tough times call for tough measures – which most cyber criminals are no strangers to. As a result, an alarming number of ransomware groups have begun using a new technique to encrypt their victims’ systems. This method not only encrypts systems faster but also reduces the hackers’ chances of being detected and stopped.
This tactic has been dubbed “intermittent encryption”, as it only encrypts parts of content gathered from the targeted files. This renders the data unrecoverable without a valid decryptor key.
The encryption process can be made to take almost half as long as full encryption, while still permanently locking the contents of a file by skipping every other 16 bytes. Not only that but because the encryption is more flexible, automated detection tools used for detecting warning signs in the form of vigorous file IO operations are more likely to fail.
Hackers Fancy New Technique
SentinelLabs has published a report, stating that the trend most likely originates from the LockFile tactics in mid-2021, and is now being utilized by these ransomware hacking groups ALPHV (BlackCat), PLAY, Qyick, Black Basta, and Agenda.
These organizations actively encourage the inclusion of sporadic encryption features in their family of ransomware in an effort to persuade affiliates to join the RaaS operation.
Qyick, in particular, has intermittent encryption written in Go – meaning it is extremely fast. According to a Qyick advertisement on hacking forums.
Operator configuration options are also provided by BlackCat and Agenda’s intermittent encryption implementation in the form of different byte-skipping patterns. The malware has an “auto” mode which combines different modes for a more complicated outcome. It can even encrypt only the first few bytes of a file, follow a dot pattern, a certain percentage of file blocks, and more.
As of recently, the PLAY ransomware was also aided by the speed of intermittent encryption to carry out a high-profile attack against Argentina’s Judiciary of Córdoba.
Hacking Group Reaps Fast Success
LockBit’s strain is already the fastest available in terms of encryption speeds, so if a hacking gang used partial encryption, the duration of its strikes would be reduced to a couple of minutes. However, encryption itself is still a complex undertaking for hackers and security analysts alone.
Intermittent encryption is implemented, it must be done correctly to prevent easy data recovery by the victims and all the hacker’s efforts will be wasted. There is also a possibility of their identities being revealed as a result.
Since malware researchers haven’t yet examined samples of the new RaaS, BlackCat’s implementation is currently the most advanced. Qyick’s implementation is unknown.
Intermittent encryption appears to have significant advantages and virtually no disadvantages, so security analysts anticipate that more ransomware gangs will adopt this approach in the near future.