Fraud Management & Cybercrime , Ransomware

Strike Force: Why Ransomware Groups Feel the Need for Speed

Gangs Are Adopting Intermittent or Partial Encryption to Ransom Victims Faster
Strike Force: Why Ransomware Groups Feel the Need for Speed
Photo: U.S. Navy, via Flickr/CC

Ransomware-wielding criminals feel the need - the need for speed.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

The faster crypto-locking malware can forcibly encrypt a victim's files and delete the originals, the less likely that the attacks gets spotted by security defenses and stopped. Also, the less time attacks take overall to execute, the more victims a criminal can hit.

Cue a "new trend on the ransomware scene - intermittent encryption, or partial encryption of victims' files," reports cybersecurity firm SentinelOne researchers Aleksandar Milenkoski and Jim Walter.

"At least two brand-new ransomware are currently pitching this feature on the black market: Qyick and Agenda," Milenkoski tweets. So too is Play ransomware, first spotted in June, the researchers say, plus Conti spinoffs Black Basta and BlackCat, aka Alphv.

They predict that "intermittent encryption will continue to be adopted by more ransomware families."

Speedier Attacks

Only partially encrypting files enables attacks to proceed more quickly, especially when handling large files. Based on reverse-engineering how BlackCat ransomware encrypts files, Milenkoski found that using intermittent encryption for a 50-gigabyte file saved about 2 minutes compared to full file encryption. Using intermittent encryption still left the file sufficiently scrambled so as to make it unrecoverable without a decryptor or a backup.

Encryption options offered by BlackCat (Source: SentinelOne)

Not a New Tactic

As the SentinelOne researchers acknowledge in their study, intermittent or partial encryption is not a new tactic.

In September 2021, a report from Sophos detailed a new type of ransomware called LockFile.

"LockFile ransomware encrypts every 16 bytes of a file. We call this 'intermittent encryption,' and this is the first time Sophos researchers have seen this approach used," said Mark Loman, director of engineering for next-generation technologies at Sophos, in a blog post.

Even then, the technique wasn't exactly new. Loman says that "LockBit 2.0, DarkSide and BlackMatter ransomware, for example, are all known to encrypt only part of the documents they attack - in their case the first 4,096 bytes, 512 KB and 1 MB respectively - just to finish the encryption stage of the attack faster."

What was different about LockFile was that instead of only encrypting the beginning of files, "LockFile encrypts every other 16 bytes of a document," Loman said. "This means that a text document, for instance, remains partially readable."

"Intermittent encryption is serving only one goal: Encrypt a system as fast as you can, and in many cases a complete network, and demand the ransom," says Christiaan Beek, lead scientist and senior principal engineer at Trellix. "It's not a defensive evasion technique, in my opinion."

Might anti-malware tools be better adapted to detect this type of activity? "Looking at some of the logic, it calls fast file read and write actions that could be detected in the code," Beek says.

"The research that Sentinel is posting shows also that in some cases the ransomware has multiple options to select which files, which parts, size of bytes to encrypt, and even the selection of algorithm - all for the sake of speed," he says.

Gangs Love to Boast About Speed

Many ransomware operations love to hype up anything they do, whether to scare victims into paying or to recruit affiliates who have a track record of successfully taking down a greater number of victims (see: Keys to LockBit's Success: Self-Promotion, Technical Acumen).

"We have witnessed different ransomware crews boast about the speed of the encryption process, and the use of intermittent processes means the ability to disrupt an organization has gone up," says Raj Samani, chief scientist at Rapid7 (see: Ransomware Response Essential: Fixing Initial Access Vector).

For defenders, although attackers might be attempting to encrypt files, the ransomware defense basics remain the same, he says. They include ensuring an organization has the capabilities in place it needs to detect the earlier parts of a ransomware attack, before attackers are able to steal data or unleash crypto-locking malware.

"All organizations must focus efforts on identifying initial entry vectors and lateral movement," Samani says. "In other words, find the malicious actors before they exfiltrate data and encrypt data."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.