To be more stealthy, some ransomware no longer encrypts all files, but only segments. Spotted by the Bleeping computer media, this trend has just been detailed in an article by Sentinel Labs.
According to Aleksandar Milenkoski and Jim Walter, the authors of the article, more and more ransomware integrates this new functionality. Intermittent encryption has a double benefit for cybercriminals. It makes it possible to encrypt the files of their victims more quickly, an important point while the encryption of the files of a target is often a race.
Stealthier
Intermittent encryption also allows cybercriminals to evade detection systems. Methods based on statistical analysis can indeed be tricked, with the results of the comparison of encrypted and unencrypted files having a higher similarity than those typically seen in ransomware attacks.
“Given the significant benefits for malicious actors and the ease of implementation, we believe intermittent encryption will continue to be adopted by more ransomware families,” the paper’s editors believe.
There are two ways to analyze this new feature. This shows that ransomware developers know how to innovate. But implicitly, it also proves that detection and protection efforts hinder their action, pushing them to change their methods.
LockFile, the precursor
Spotted then by the company Sophos, the LockFile ransomware was the first to offer this functionality in July 2021. But according to researchers from Sentinel Labs, other families of ransomware now also use intermittent encryption. These are Qyick, Agenda, BlackCat, Play and Black Basta.
LockFile ransomware thus encrypts files with a 16-byte step. Agenda, just like BlackCat, is configurable: the malicious user can program intermittent encryption in several different ways (jump in the encryption or determined percentage, for example).
On the other hand, researchers have noticed that Play and Black Basta ransomware encrypts files automatically, by segmenting its encryption according to the size of the files targeted.