New approach to ransomware encryption threatens to undermine cyber security strategies

Threat actors have begun to deploy ransomware that uses intermittent encryption technology to attack victims’ systems more efficiently and covertly.

Intermittent encryption is a method by which ransomware only partially encrypts files, either according to a random key or in a regular pattern such as alternating encryption for the bytes of a file. This can have the effect of speeding up the encryption of affected files, as there is potentially only half as much for the ransomware to encrypt.

Moreover, intermittent encryption can make ransomware harder to identify. Ransomware detection software can rely on the detection of irregular I/O (input/output) operations or by direct comparison between files known to be safe and files that the software suspects have been encrypted. In both cases, intermittent encryption allows ransomware to go undetected, performing I/O operations at a small scale not recognised as malicious, and partially-encrypted files may more closely resemble their safe counterparts and therefore not be recognised as affected.

The LockFile ransomware, as detailed by Sophos in 2021, was the first known ransomware to use this method, encrypting every other 16 bytes of affected files. But researchers at SentinelLabs have identified that the new method is now in use by several threat actors.

One ransomware, known as Qyick, is currently listed on a dark web forum by user ‘lucrostm’. Here, threat actors can purchase Qyick at between 0.2 and 1.5 Bitcoins, varying by the complexity desired by the customer. A product listing reads: “Notably Qyick features intermittent encryption which is what the cool kids are using as you read this. Combined with the fact that is written in go, the speed is unmatched.”

Precise analysis of Qyick is not yet available, but researchers are seeking samples to test. Rust-based ransomware BlackCat, which was identified as particularly threatening by the Federal Bureau of Investigation (FBI), was also observed utilising intermittent encryption as an attack method.

"Considering the efficiencies presented by intermittent encryption, we suspect most ransomware will have it as a standard technique,” stated Avishai Avivi, SafeBreach CISO.

“We can expect this malicious activity will continue to evolve like we've seen in the realm of computer viruses and malware. Malicious actors will continue to find ways to improve the speed and evasive techniques they use.

“We maintain our recommendation that organisations will be best served by proactively handling this threat. Have a sound and tested backup strategy and focus your efforts on preventing the malicious actors from getting their initial access. Detection post-infection with ransomware will become less effective over time."

A Sentinel Labs analysis of the BlackCat strain utilising intermittent encryption found that its operators have several encryption modes they can choose from when deploying the ransomware. These include ‘Full’ which encrypts all files on a system, ‘DotPattern [N,Y]’ which encrypts several bytes in the affected files equal to N with a delay equal to Y bytes, and ‘Auto’ in which BlackCat chooses a mode depending on the size and extension of each file.

In a controlled environment, researchers found that the ‘Auto’ mode resulted in encryption of 50GB of files 1.95 minutes faster than in the ‘Full’ mode, demonstrating the superior encryption speeds that threat actors have achieved in the adoption of this new method.

Businesses and security teams are warned to appraise themselves of the current threat landscape, with ransomware threat actors continually refining the strains and attack vectors at their disposal. There are several steps that can be taken to avoid being caught out by ransomware, and security best practice remains a good preventative for unwanted malicious activity.