Most of the cyber criminals who run ransomware operations are in the spotlight. Not only are they scrutinized by law enforcement and security companies, they are also heavily scrutinized in how they technically distribute their malware and how the malware runs and works on infected computers.
a new report from SentinelOne reveals a new technique deployed by a few ransomware groups, recently seen in the wild and dubbed “intermittent encryption”.
What is Intermittent Encryption?
The term can be confusing, so it seems important to clarify it right away: intermittent encryption isn’t about encrypting selected entire files, it’s about encrypting every x byte in files.
According to the researchers, intermittent encryption allows for better evasion from systems that use statistical analysis to detect an ongoing ransomware infection. This type of analysis is based on the intensity of the input and output operations of the operating system files, or on the similarity between a known version of a file and a suspected modified version. Therefore, intermittent encryption lowers the intensity of file input/output operations and shows a much greater resemblance between unencrypted and encrypted versions of a specific file, as only a few bytes in the file are changed.
Intermittent encryption also has the benefits of reducing the amount of content being encrypted, but still rendering the system unusable, in a very short time frame, making it even more difficult to detect ransomware activity between the time of infection and the time the content was encrypted.
Historically, LockFile ransomware was the first malware family to use intermittent encryption in mid-2021, but now several ransomware families are using it.
TO SEE: Mobile Device Security Policy (Tech Republic Premium)
Which threat groups use intermittent encryption?
It is also important to know that intermittent encryption has become increasingly popular in the underground forums, where it is now advertised to attract more buyers or affiliates.
SentinelOne researchers report seeing an ad for a new commercial ransomware called Qyick on a popular Dark Web crime forum. Previously seen as selling other software such as remote access tools (RATs) and malware loaders, the advertiser known as lucrostm sells Qyick at a price ranging from 0.2 Bitcoins (BTC) to about 1.5 BTC. depending on the options the buyer wants. One of lucrostm’s guarantees is that if a ransomware family binary is detected by security solutions within six months of purchase, a generous discount of 60 to 80% will be provided for a new undetected ransomware copy.
The ransomware is written in Go language, which the developer claims would speed up the ransomware, in addition to using intermittent encryption (Figure A).
Qyick is still a ransomware in development. While it currently has no exfiltration capabilities, future versions will allow the controller to run arbitrary code primarily intended for that purpose.
This ransomware was first spotted in late June 2022. It uses intermittent encryption based on the size of the current file. It encrypts chunks of 0x100000 bytes in hexadecimal (1048576 bytes in decimal) and encrypts two, three, or five chunks, depending on the file size.
This ransomware is another one written in Go language. It supports various intermittent encryption methods that the controller can configure.
A first option called “skip-step” allows the attacker to encrypt every X MB (megabyte) of the file, skipping a certain number of MB. A second option called “fast” allows the encryption of only the first NMB of files. The last option, “percent”, allows the encryption of only a percentage of the file.
Black Basta ransomware
This ransomware has served as a ransomware-as-a-service (RaaS) since April 2022. It is written in C++ language and its operators use double extortion with it, threatening victims to leak exfiltrated data if they do not pay the ransom.
Black Basta’s intermittent encryption encrypts every 64 bytes and skips 192 bytes if the file size is less than 4 KB. If the file is larger than 4 KB, the ransomware encrypts every 64 bytes, but skips 128 bytes instead of 192.
BlackCat, also known as ALPHV, is a ransomware developed in Rust language and used as a RaaS model. The threat group specialized very early in the use of extortion schemes, such as threatening victims with data breaches or distributed denial of service (DDoS) to attack.
BlackCat ransomware offers different encryption modes to its controller, from full encryption to modes that integrate intermittent encryption: it offers the option to encrypt only the first N bytes of files, or to encrypt only every N byte and encrypt X bytes in between.
It also has more advanced encryption such as dividing files into blocks of different sizes and encrypts only the first P bytes of each block.
Apart from intermittent encryption, BlackCat also includes some logic to speed up as much as possible: if the infected computer supports hardware acceleration, the ransomware uses AES (Advanced Encryption Standard) for encryption. If not, it uses the ChaCha20 algorithm which is fully implemented in software.
TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
How to protect against this threat?
It is recommended that you always keep the operating system and any software running on it up to date and patched to avoid being compromised by a common vulnerability.
It is also recommended to deploy security solutions to detect the threat before the ransomware is launched on one or more computers.
Multi-factor authentication should also be deployed whenever possible so that an attacker cannot just use credentials to gain access to a part of the network where he/she can run ransomware.
Every user should be made aware, especially regarding email, as it is one of the most widely used infection vectors for ransomware.
Revelation: I work for Trend Micro, but the opinions expressed in this article are mine.