Ransomware uses intermittent encryption to bypass detection algorithms

Image: Adobe Stock

Most cybercriminals running ransomware operations are under the spotlight. Not only are they under investigation by law enforcement and security companies, but they are also thoroughly investigated as to how they technically distribute their malware and how whose malware runs and functions on infected computers.

A new report from SentinelOne exposes a new technique deployed by a few ransomware groups, observed in the wild recently and called “intermittent encryption”.

What is Intermittent Encryption?

The term can be confusing, so it seems important to clarify it immediately: intermittent encryption is not about encrypting selected complete files, but about encrypting every x byte in the files.

According to the researchers, intermittent encryption provides better evasion on systems that use statistical analysis to detect an ongoing ransomware infection. This type of analysis is based on the intensity of operating system file input and output operations, or the similarity between a known version of a file and a suspected modified version. Therefore, intermittent encryption reduces the intensity of file I/O operations and has a much higher similarity between unencrypted and encrypted versions of a specific file, since only certain bytes are modified in the file.

Intermittent encryption also has the advantage of encrypting less content while rendering the system unusable, in a very short period of time, making it even more difficult to detect ransomware activity between the time of infection and when it encrypted the content.

A study BlackCat ransomware using different file sizes revealed that intermittent encryption brings significant speed benefits to threat actors.

Historically, LockFile ransomware was the first malware family to use intermittent encryption, in mid-2021, but several different ransomware families now use it.

SEE: Mobile Device Security Policy (TechRepublic Premium)

Which threat groups use intermittent encryption?

It is also important to know that intermittent encryption has become increasingly popular in underground forums, where it is now advertised to attract more buyers or affiliates.

Qyick ransomware

SentinelOne researchers report that they saw an advertisement for a new commercial ransomware called Qyick in a popular dark web crime forum. The advertiser known as lucrostm was previously believed to sell other software such as remote access tools (RATs) and malware loaders, and sells Qyick for a price ranging from 0.2 Bitcoin ( BTC) to around 1.5 BTC depending on the buyer’s desired options. One of the guarantees provided by lucrostm is that if a binary from the ransomware family is detected by security solutions within six months of purchase, a generous discount of 60-80% will be given for a new ransomware sample not detected.

The ransomware is written in the Go language which the developer claims speeds up the ransomware, in addition to using intermittent encryption (Figure A).

Figure A

Advertisement for Qyick ransomware on an underground cybercrime forum.
Advertisement for Qyick ransomware on an underground cybercrime forum. Image: Sentinel 1

Qyick is still a ransomware under development. Although it does not currently have exfiltration capabilities, future versions will allow its controller to execute arbitrary code, intended primarily for this purpose.

PLAY ransomware

This ransomware was first seen in late June 2022. It uses intermittent encryption based on the current file size. It encrypts chunks of 0x100000 bytes in hexadecimal (1048576 bytes in decimal) and encrypts two, three or five chunks, depending on the file size.

Ransomware program

This ransomware is another one written in the Go language. It supports several different intermittent encryption methods that the controller can configure.

A first option named “skip-step” allows the attacker to encrypt each X MB (megabyte) of the file, skipping a specified number of MB. A second option named “fast” allows to encrypt only the first N MB of files . The last option, “percentage”, allows encryption of only a percentage of the file.

Black Basta ransomware

This ransomware has been serving as ransomware-as-a-service (RaaS) since April 2022. It is written in C++ language and its operators used double extortion with it, threatening victims with leaking exfiltrated data if they did not pay for it. ransom.

Black Basta’s intermittent encryption encrypts every 64 bytes and skips 192 bytes, if the file size is less than 4 KB. If the file is larger than 4 KB, the ransomware encrypts every 64 bytes but skips 128 bytes instead of 192.

BlackCat/ALPHV

BlackCat, also known as ALPHV, is ransomware developed in the Rust language and is used as a RaaS model. The threat group specialized early on in the use of extortion schemes such as the threat of data leakage or Distributed Denial of Service (DDoS) attacks.

BlackCat ransomware offers several different encryption modes to its controller, from full encryption to modes incorporating intermittent encryption: it offers the option to encrypt only the first N bytes of files, or to encrypt only every N byte and skip X bytes between of them.

It also has more advanced encryption, such as dividing files into blocks of different sizes and encrypting only the first P bytes of each block.

Besides intermittent encryption, BlackCat also contains logic to speed up as much as possible: if the infected computer supports hardware acceleration, the ransomware uses AES (Advanced Encryption Standard) for encryption. Otherwise, it uses the ChaCha20 algorithm which is fully implemented in software.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

How to protect yourself from this threat

It is advisable to always keep the operating system and all software running on it up-to-date and patched, to avoid being compromised by a common vulnerability.

It is also advisable to deploy security solutions to try to detect the threat before the ransomware is launched on one or more computers.

Multi-factor authentication should also be deployed where possible, so an attacker cannot use credentials only to gain access to a part of the network where they could run ransomware.

Every user should be made aware, especially of email, as this is one of the most common ransomware infection vectors.

Disclosure: I work for Trend Micro, but the opinions expressed in this article are my own.

Sharon D. Cole