Intermittent-Encryption Ransomware, Explained
Like a shark that must keep swimming forward or perish, ransomware is constantly advancing and evolving. Even as data security solutions adapt to old threat tactics, hackers devise new ones to maximize their payouts. Some cybercriminals may develop brand-new malware; others may make iterative changes and release updates of existing ransomware products to take advantage of new vulnerabilities and attack strategies.
In the past, we’ve covered some of the troubling new trends and variants of ransomware in other blog posts, including the rise of ransomware as a service and the recent growth of encryption-less ransomware.
Today, we’re covering a different tactic: intermittent-encryption ransomware. We’ll explain how this type of ransomware works, why it’s increasingly common, who the top ransomware gangs are, and how organizations can protect their data from this growing threat.
Understanding intermittent-encryption ransomware
Unlike traditional ransomware, which aims to encrypt entire files across an organization, intermittent-encryption ransomware takes a more subtle and calculated approach. It uses specialized algorithms to hide the attack from the victim, encrypting only small portions of each file to evade detection.
As TechRepublic clarifies, “intermittent encryption is not about encrypting selected full files, but about encrypting every x byte in files.” This approach makes the attack less noticeable to ransomware detection products, since it mimics the way that legitimate software modifies files — while still rendering the infected files unreadable.
Different variants of intermittent-encryption ransomware operate in slightly different ways, but they have two major features in common.
Gradual encryption. Instead of encrypting all files immediately, intermittent-encryption ransomware encrypts files at various intervals, making it harder for detection software to recognize the attack.
Randomization and obfuscation. Intermittent-encryption ransomware also uses randomized patterns and encryption keys for each victim, alternating the types of data modifications they make as they go. This randomness leads to a much lower intensity of file I/O operations in encrypted files, which helps to trick detection software. It also makes it challenging for security experts to create reliable decryption tools, further complicating decryption attempts.
Why is intermittent-encryption ransomware becoming more common?
Intermittent-encryption tactics have grown in popularity because they give attackers one major advantage: higher encryption speed. Encrypting an entire organization’s files can be a slow process, and security tools are increasingly able to detect cyberattacks in progress. But because it aims to alter only a fraction of a company’s data, intermittent-encryption ransomware can impact more files in less time.
It’s also becoming more mainstream because it’s backed by the ransomware-as-a-service industry. With RaaS, cybercriminals don’t have to code complex malware themselves; they simply have to purchase a subscription to an existing variant of this partial encryption ransomware.
As a result, the number of victims of intermittent-encryption ransomware has grown into the hundreds. Targets come from a wide variety of industries, including finance, higher education, and healthcare, and individual companies may suffer hundreds of thousands of dollars in losses.
Top intermittent-encryption variants
Ransomware gangs are continuously disbanding, reforming, and morphing into other ransomware families, thanks in part to security experts and criminal prosecutions. It’s impossible to track every intermittent-encryption threat group, from Qyick to PLAY, but we’ll break down four of the top variants here.
Agenda
Agenda ransomware offers various configurable settings, including intermittent-encryption modes. It uses the Rust programming language and features three different partial encryption modes to target primarily the IT and manufacturing sectors.
Black Basta
This threat group has offered its intermittent-encryption malware as a RaaS product for over a year. Written in C++, Black Basta allows its operators to exfiltrate sensitive data and carry out double extortion attacks. It works methodically, encrypting every 64 bytes of a file and then skipping a certain amount of bytes depending on the original file size.
BlackCat
BlackCat comes from one of the most notable and sophisticated ransomware groups on the market, the ALPHV gang. An early adopter of the Rust programming language, BlackCat offers several different encryption modes. It also contains coding to selectively accelerate its attack based on the capacities of the device it has infected.
Lockfile
One of the first variants of intermittent-encryption ransomware, Lockfile has been active since at least July 2021, when it was first spotted. (Since it employs multiple techniques to evade detection, it’s possible that it’s been in operation even longer.)
Lockfile ransomware, which is a product of the LockBit ransomware gang, works by attacking vulnerable Microsoft Windows systems with known vulnerabilities. One of its tactics is to leverage the Windows Management Interface (WMI) to scan for and kill important virtual machine processes, which can help facilitate the file encryption process. This variant also avoids directly modifying files on disk, instead mapping them into the system’s RAM memory to perform modifications. These tactics make the malware processes appear to come from within the system itself, making it more likely that the attack will go undetected.
Protecting against intermittent-encryption ransomware
Just as intermittent-encryption ransomware is a multifaceted threat, tackling it requires a multifaceted approach. For endpoint security products, thresholds must be fine-tuned to allow legitimate activities while keeping out malicious ones. For the company as a whole, a good defense-in-depth strategy and a robust cybersecurity culture will be necessary to protect against the continual evolution of ransomware.
Here are some tips to get started:
Back up your data. Regularly backing up data is one of the top ways to minimize the impact of an attack. Whether your business uses on-prem or cloud storage, it’s important to ensure that these locations are secure from ransomware, which can hide out in systems for weeks in order to infect backups as well as primary data sources.
Keep systems patched and updated. Keep your software, operating system, and security tools up to date to be sure that you don’t fall prey to the latest vulnerabilities.
Conduct regular employee training. Educate your employees about phishing scams, good password practices, and safer online habits. Even as technologies grow more advanced, human error is still one of the top entry points for cyberattacks.
Use reliable software. Invest in reputable anti-virus, anti-malware, and endpoint monitoring solutions that can detect and mitigate ransomware threats.
Develop an incident response plan. No cybersecurity strategy is 100% effective. Even with the best of precautions, it’s still possible that a ransomware attack will succeed. That’s why companies need a well-defined incident response plan in place, including procedures for reporting incidents, isolating infected devices, and getting critical systems back online.
Ransomware protection with ShardSecure
An important part of ransomware mitigation is choosing the right data security solution. The ShardSecure platform offers data integrity checks, high availability, and self-healing features to mitigate ransomware attacks, including the intermittent-encryption variety.
First, our data integrity checks detect unauthorized modifications to data and send an alert to the company’s SOC. Our self-healing process follows up by reconstructing affected data in real-time, allowing organizations to avoid downtime and maintain business continuity.
The ShardSecure platform also provides advanced data privacy to mitigate the impact of data exfiltration in double extortion attempts. Even if a threat actor manages to directly access an organization’s storage locations, that data will remain illegible and unexploitable to them.
The future of ransomware attacks
Intermittent-encryption ransomware is a new challenge in the cyber landscape, but it won’t be the last. In the short term, we expect that we’ll see the cat-and-mouse game between threat actors and security solutions continue, with each side evolving to keep up with each other.
The silver lining is that the sustained media attention on high-profile ransomware attacks will make everyone from entry-level employees to CEOs more aware of the threat. Below, we’ve offered a few other predictions on the future of ransomware.
Upcoming trends in ransomware attacks
First, the bad news: Ransomware is going to continue to get worse, at least in the short term. Attacks will become even more sophisticated, incorporating advanced encryption techniques, artificial intelligence (AI), and machine learning (ML) to maximize their impact and evade detection. Meanwhile, cybercriminals will continue to refine their strategies with more precise phishing tactics, making it increasingly challenging to develop effective countermeasures.
We also expect to see more targeted attacks using state-of-the-art social engineering. Attackers will invest more time in reconnaissance, tailoring their attacks to specific organizations so they can, in the words of Forbes, “cause more damage, earn higher revenue, or have more shock value.” Finally, we’ll continue to see growth in double extortion and encryption-less attacks.
Upcoming trends in ransomware prevention and mitigation
Fortunately, there’s also some good news. We expect to see governments and regulatory bodies crack down on cryptocurrencies like Bitcoin, which are often used to facilitate ransom payments. This will make it more challenging for cybercriminals to launder their money.
We also expect the cybersecurity industry to leverage more automation and AI-driven solutions to detect, respond to, and mitigate ransomware attacks in real-time. AI comes up in practically every conversation we have these days, and we predict that emerging tools will help companies respond faster to threats.
Finally, we anticipate that we’ll see more collaboration between the public and private sectors, plus more information sharing among various government agencies. Better communication around threat intelligence and mitigation methods will help organizations around the world counter ransomware attacks more effectively.
Interested in learning more about current ransomware threats and the ShardSecure solution? Visit our other blogs on the topic, and check out the white paper on our technology.
Sources
Ransomware Makes Use of Intermittent Encryption To Bypass Detection Algorithms | TechRepublic
Ransomware Developers Turn to Intermittent Encryption to Evade Detection | SentinelOne
White Phoenix: Beating Intermittent Encryption | CyberArk
New Agenda Ransomware Variant, Written in Rust, Aiming at Critical Infrastructure | The Hacker News
LockFile Ransomware Uses Intermittent Encryption To Evade Detection | CSO Online
How To Write an Incident Response Plan for Ransomware Recovery | RH-ISAC
Why Understanding Ransomware’s Root Causes Can Help Protect Against The Evolving Threats | Forbes
US DOJ To Crack Down on Crypto Exchanges, NCET Director Says | Reuters