New approach to ransomware encryption threatens to undermine cyber security strategies
Intermittent encryption is already in use with ransomware such as BlackCat and Qyick, and could mark a widespread shift in the threat landscape


Threat actors have begun to deploy ransomware that uses intermittent encryption technology to attack victims’ systems more efficiently and covertly.
Intermittent encryption is a method by which ransomware only partially encrypts files, either according to a random key or in a regular pattern such as alternating encryption for the bytes of a file. This can have the effect of speeding up the encryption of affected files, as there is potentially only half as much for the ransomware to encrypt.
Moreover, intermittent encryption can make ransomware harder to identify. Ransomware detection software can rely on the detection of irregular I/O (input/output) operations or by direct comparison between files known to be safe and files that the software suspects have been encrypted. In both cases, intermittent encryption allows ransomware to go undetected, performing I/O operations at a small scale not recognised as malicious, and partially-encrypted files may more closely resemble their safe counterparts and therefore not be recognised as affected.
The LockFile ransomware, as detailed by Sophos in 2021, was the first known ransomware to use this method, encrypting every other 16 bytes of affected files. But researchers at SentinelLabs have identified that the new method is now in use by several threat actors.
One ransomware, known as Qyick, is currently listed on a dark web forum by user ‘lucrostm’. Here, threat actors can purchase Qyick at between 0.2 and 1.5 Bitcoins, varying by the complexity desired by the customer. A product listing reads: “Notably Qyick features intermittent encryption which is what the cool kids are using as you read this. Combined with the fact that is written in go, the speed is unmatched.”
Precise analysis of Qyick is not yet available, but researchers are seeking samples to test. Rust-based ransomware BlackCat, which was identified as particularly threatening by the Federal Bureau of Investigation (FBI), was also observed utilising intermittent encryption as an attack method.
"Considering the efficiencies presented by intermittent encryption, we suspect most ransomware will have it as a standard technique,” stated Avishai Avivi, SafeBreach CISO.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
“We can expect this malicious activity will continue to evolve like we've seen in the realm of computer viruses and malware. Malicious actors will continue to find ways to improve the speed and evasive techniques they use.
“We maintain our recommendation that organisations will be best served by proactively handling this threat. Have a sound and tested backup strategy and focus your efforts on preventing the malicious actors from getting their initial access. Detection post-infection with ransomware will become less effective over time."
RELATED RESOURCE
Escape the ransomware maze
Conventional endpoint protection tools just aren’t the best defence anymore
A Sentinel Labs analysis of the BlackCat strain utilising intermittent encryption found that its operators have several encryption modes they can choose from when deploying the ransomware. These include ‘Full’ which encrypts all files on a system, ‘DotPattern [N,Y]’ which encrypts several bytes in the affected files equal to N with a delay equal to Y bytes, and ‘Auto’ in which BlackCat chooses a mode depending on the size and extension of each file.
In a controlled environment, researchers found that the ‘Auto’ mode resulted in encryption of 50GB of files 1.95 minutes faster than in the ‘Full’ mode, demonstrating the superior encryption speeds that threat actors have achieved in the adoption of this new method.
Businesses and security teams are warned to appraise themselves of the current threat landscape, with ransomware threat actors continually refining the strains and attack vectors at their disposal. There are several steps that can be taken to avoid being caught out by ransomware, and security best practice remains a good preventative for unwanted malicious activity.

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.
In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at rory.bathgate@futurenet.com or on LinkedIn.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs