During a cyberattack, time is of the essence for both attackers and defenders. To accelerate the ransomware encryption process and make it harder to detect, cybercriminal groups have begun using a new technique: intermittent encryption.
Intermittent encryption allows the ransomware encryption malware to encrypt files partially or only encrypt parts of the files. The features are designed to increase attacks’ speed, reducing the chances of being detected and having the threat shut down.
Sentinel Labs reported the new trend earlier this month, as ransomware groups have adopted the latest technology. The new tech was advertised on a forum to attract buyers fueling the Ransomware-as-a-service (RaaS) trade. Not only can intermittent encryption accelerate the time-intensive process of ransomware encryption, but it can also prevent detection.
Ransomware detection systems use statistical analysis, with some tools measuring the intensity of I/O operations or benchmarking versions of a file. Due to the aggressive nature of encryption, these tools pick up the activity when ransomware actors begin encrypting files. However, intermittent encryption, because it does not encrypt the entire file, is a “lighter” process, affecting less file I/O intensity. This makes intermittent encryption a stealth operation that can evade normal detection tools.
The intermittent encryption trend began with LockFile in mid-2021, and Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick have embraced the technique. Different ransomware groups and ransomware strains offer different types of intermittent encryption. Some are written on Go and can be customized. Others are automated. And some encrypt files partially, while others encrypt files skipping bytes.
See our complete guide to Preventing, stopping and recovering from ransomware attacks
Qyick Ransomware: ‘What the cool kids are using’
The time it takes to encrypt a system and files depends on several factors, the power of the encrypting tools, the size of the file or files, and the system where the encryption runs.
In March 2022, Splunk tested ten different ransomware families and ten samples for each family and executed 400 encryption tests to time the results. During the tests, the strains had to encrypt a total of 53GB and 98,561 files. Different host system hardware and OS configurations were deployed to make the simulation as real as possible.
LockBit came on top with a total encryption time of 5 minutes and 50 seconds, Babuk came in second with 6 minutes and 34 seconds, and Avaddon, Ryuk, and REvil all completed the test in under 25 minutes. On the other hand, BlackMatter, DarkSide, and Conti did it in under one hour. And other strains like Maze or Mespinoza (PYSA) completed the encryption in almost 2 hours.
Why is the time of attack important? If organizations have only a couple of minutes to respond to a ransomware encryption attack, they might choose to focus their cybersecurity efforts on prevention and early ransomware lifecycle counter-measures instead of detection and mitigation. The new intermittent encryption tools suggest this hypothesis should be taken seriously.
In August, Sentinel Labs observed a new commercial for ransomware called Qyick in a popular forum posted by a user named lucrostm (image below). Lucrostm promised ransomware intermittent encryption malware that had an unmatched speed. Selling for the price of 0.2 Bitcoins to about 1.5 Bitcoins — depending on the customization required by the buyer — Qyick intermittent encryption and the ransomware’s implementation in Go broke into the ransomware threat scene.
“Notably, Qyick features intermittent encryption, which is what the cool kids are using as you read this,” the RaaS post said. “Combined with the fact that it is written in Go, the speed is unmatched.”
The post assures buyers that each build is unique and that the code provides synchronized execution, allowing the ransomware attack to travel through the whole network, preventing it from being limited by the SOC turning off non-infected services while addressing obfuscation and support for multiple addresses.
While Qyick does not offer automatic data exfiltration, leaving that for the attacker to execute before encryption, the user promised that the feature was in development along with anti-forensic capacities and others.
Agenda and BlackCat Ransomware Encryption
Another strain using intermittent encryption is the Agenda ransomware. Written in Go and used to target healthcare and education organizations in Africa and Asia mainly, this strain offers customizable easy-to-code options that modify how the encryption acts. The filename extension and services to terminate can also be customized.
The three possible partial encryption modes of Agenda are:
- skip-step [skip: N, step: Y] – Encrypt every Y MB of the file, skipping N MB.
- fast [f: N] – Encrypt the first N MB of the file.
- percent [n: N; p:P] – Encrypt every N MB of the file, skipping P MB, where P equals P% of the total file size.
On the other hand, BlackCat (or ALPHV) ransomware, rising in late 2021 as the first ransomware written in the Rust programming language, also executes most of its encryption as intermittent encryption.
BlackCat was reversed-engineered by Sentinel Labs researcher Aleksandar Milenkoski.
Milenkoski outlines the different encryption modes of BlackCat as:
|Full||Encrypt all file content.|
|HeadOnly [N]||Encrypt the first N bytes of the file.|
|DotPattern [N,Y]||Encrypt every N bytes of the file with a step of Y bytes.|
|SmartPattern [N,P]||Encrypt the first N bytes of the file. BlackCat divides the rest of the file into equal-sized blocks, such that each block is 10% of the rest of the file in size. BlackCat encrypts P% of the bytes of each block.|
|AdvancedSmartPattern [N,P,B]||Encrypt the first N bytes of the file. BlackCat divides the rest of the file into B equal-sized blocks. BlackCat encrypts P% of the bytes of each block.|
|Auto||Combinatory file encryption mode. Encrypt the file’s content according to one of the file encryption modes Full, DotPattern [N,Y], and AdvancedSmartPattern [N,P,B]. BlackCat selects and parametrizes a file encryption mode based on the filename extension and the file size.|
Analysis shows that Blackcat noticeably reduced the time of encryption, with results revealing a reduction of wall clock processing time starting at 8.65 seconds for 5 GB file size and a maximum reduction of 1.95 minutes for 50 GB file size. This includes the time it takes to read, encrypt and write each file’s content.
The BlackCat ALPHV threat group is known for being an early adopter of extortion schemes, threatening their victims with DDoS attacks, and leaking exfiltrated data online.
Black Basta and PLAY Ransomware: Automated Chunks
Back Basta and PLAY offer intermittent encryption, but it cannot be configured by the user.
Back Basta, the RaaS program that emerged in 2022 written in the C++ programming language, bases the intermittence of its encryption on the size of the file. For files that are under 704 bytes, it encrypts the entire file. When files are less than 4 kilobytes, it encrypts every 64 bytes, starting from the beginning of the file and skipping 192 bytes. Finally, for files larger than 4 KB, it does the same but skips 128 bytes creating encryption intervals.
PLAY ransomware, another 2022 player, also varies its encryption on file size, but instead, it just breaks the file into 2, 3, or 5 chunks, depending on the file size, and then encrypts every other chunk.
Sentinel Lab analysis shows that PLAY will create:
- 2 chunks if the file size is less than or equal to 0x3fffffff bytes;
- 3 chunks if the file size is less than or equal to 0x27fffffff bytes;
- 5 chunks if the file size is greater than 0x280000000 bytes.
Whether customized features for encryption or automatic intermittent encryption, if combined with automated data exfiltration tools, ransomware attacks can significantly cut the times of attack lifecycles.
Security experts warn that given the benefits these new encryption technologies provide, cybercriminals will embrace them and intensify their use.
Faced with this new trend, organizations are forced to switch to early prevention and focus on the early stages of ransomware attacks, as detecting and shutting down attacks once they are in full play promises to be very challenging.
As always, well protected data backups are your best hope for a quick recovery – see the Best Backup Solutions for Ransomware Protection.