Several ransomware gangs have changed their file encryption techniques, and instead of encrypting entire files they are now opting for intermittent encryption, with files only partially encrypted. This technique allows files to be encrypted far more quickly and helps the attackers evade security solutions, which often fail to detect the encryption due to the lower intensity of file IO operations and the greater similarity between non-encrypted and encrypted versions of a file.
Rather than encrypting the entire contents of files, the encryption process will skip certain sections, such as every other 16 bytes of a file, or will just encrypt the first few bytes of a file. This technique still renders files unrecoverable without a valid decryptor key, yet it is far faster, typically allowing files to be encrypted in around half the time. Encrypting files can be a time-consuming process and it often triggers alerts from security solutions, which allows IT security teams to act quickly and block file encryption, limiting the harm caused by an attack.
According to a recent report from SentinelLabs, this tactic was first observed being used by LockFile around the middle of 2021, but it has since been adopted by many ransomware gangs, including Black Basta, Blackcat (ALPHAV), Agenda, PLAY, and Qyick. These ransomware-as-a-service operations typically advise would-be affiliates that their ransomware uses intermittent file encryption as a selling point, stating that the encryption process results in far quicker encryption, reducing the potential for detection, which will increase the probability of payment being made since recovery without paying the ransom will be more difficult due to widespread file encryption. Some RaaS operations also provide affiliates with options related to partial encryption, allowing them to prioritize speed should they so wish.
This technique has proven popular with ransomware gangs and their affiliates as attacks can be conducted more quickly and the entire contents of files do not need to be encrypted to prevent recovery. “Intermittent encryption is a very useful tool to ransomware operators. This encryption method helps to evade some ransomware detection mechanisms and encrypt victims’ files faster,” explained the SentinalLabs researchers. “Given the significant benefits to threat actors while also being practical to implement, we estimate that intermittent encryption will continue to be adopted by more ransomware families.”