Strike Force: Why Ransomware Groups Feel the Need for SpeedGangs Are Adopting Intermittent or Partial Encryption to Ransom Victims Faster
Ransomware-wielding criminals feel the need - the need for speed.
The faster crypto-locking malware can forcibly encrypt a victim's files and delete the originals, the less likely that the attacks gets spotted by security defenses and stopped. Also, the less time attacks take overall to execute, the more victims a criminal can hit.
Cue a "new trend on the ransomware scene - intermittent encryption, or partial encryption of victims' files," reports cybersecurity firm SentinelOne researchers Aleksandar Milenkoski and Jim Walter.
"At least two brand-new ransomware are currently pitching this feature on the black market: Qyick and Agenda," Milenkoski tweets. So too is Play ransomware, first spotted in June, the researchers say, plus Conti spinoffs Black Basta and BlackCat, aka Alphv.
They predict that "intermittent encryption will continue to be adopted by more ransomware families."
Only partially encrypting files enables attacks to proceed more quickly, especially when handling large files. Based on reverse-engineering how BlackCat ransomware encrypts files, Milenkoski found that using intermittent encryption for a 50-gigabyte file saved about 2 minutes compared to full file encryption. Using intermittent encryption still left the file sufficiently scrambled so as to make it unrecoverable without a decryptor or a backup.
Not a New Tactic
As the SentinelOne researchers acknowledge in their study, intermittent or partial encryption is not a new tactic.
In September 2021, a report from Sophos detailed a new type of ransomware called LockFile.
"LockFile ransomware encrypts every 16 bytes of a file. We call this 'intermittent encryption,' and this is the first time Sophos researchers have seen this approach used," said Mark Loman, director of engineering for next-generation technologies at Sophos, in a blog post.
Even then, the technique wasn't exactly new. Loman says that "LockBit 2.0, DarkSide and BlackMatter ransomware, for example, are all known to encrypt only part of the documents they attack - in their case the first 4,096 bytes, 512 KB and 1 MB respectively - just to finish the encryption stage of the attack faster."
What was different about LockFile was that instead of only encrypting the beginning of files, "LockFile encrypts every other 16 bytes of a document," Loman said. "This means that a text document, for instance, remains partially readable."
"Intermittent encryption is serving only one goal: Encrypt a system as fast as you can, and in many cases a complete network, and demand the ransom," says Christiaan Beek, lead scientist and senior principal engineer at Trellix. "It's not a defensive evasion technique, in my opinion."
Might anti-malware tools be better adapted to detect this type of activity? "Looking at some of the logic, it calls fast file read and write actions that could be detected in the code," Beek says.
"The research that Sentinel is posting shows also that in some cases the ransomware has multiple options to select which files, which parts, size of bytes to encrypt, and even the selection of algorithm - all for the sake of speed," he says.
Gangs Love to Boast About Speed
Many ransomware operations love to hype up anything they do, whether to scare victims into paying or to recruit affiliates who have a track record of successfully taking down a greater number of victims (see: Keys to LockBit's Success: Self-Promotion, Technical Acumen).
"We have witnessed different ransomware crews boast about the speed of the encryption process, and the use of intermittent processes means the ability to disrupt an organization has gone up," says Raj Samani, chief scientist at Rapid7 (see: Ransomware Response Essential: Fixing Initial Access Vector).
For defenders, although attackers might be attempting to encrypt files, the ransomware defense basics remain the same, he says. They include ensuring an organization has the capabilities in place it needs to detect the earlier parts of a ransomware attack, before attackers are able to steal data or unleash crypto-locking malware.
"All organizations must focus efforts on identifying initial entry vectors and lateral movement," Samani says. "In other words, find the malicious actors before they exfiltrate data and encrypt data."