Ransomware Actors Embrace Intermittent Encryption

Written by

Threat actors are increasingly turning to a new encryption method in their ransomware attacks, designed to improve success rates, according to SentinelOne.

SentinelLabs researchers Aleksandar Milenkoski and Jim Walter wrote in a new blog post that “intermittent encryption” is being heavily advertised to buyers and affiliates.

Its primary advantages over more traditional methods of ransomware encryption are speed and its ability to evade threat detection tools.

By only partially encrypting victims’ files, threat actors can cause “irretrievable damage in a very short time frame,” the duo wrote.

Further, intermittent encryption helps to confuse the statistical analysis used by security tools to detect ransomware activity.

“Such an analysis may evaluate the intensity of file IO operations or the similarity between a known version of a file, which has not been affected by ransomware, and a suspected modified, encrypted version of the file,” Milenkoski and Walter wrote.

“In contrast to full encryption, intermittent encryption helps to evade such analyses by exhibiting a significantly lower intensity of file IO operations and much higher similarity between non-encrypted and encrypted versions of a given file.”

Back in mid-2021, LockFile was the first variant to use the new technique, encrypting every other 16 bytes of a file. 

SentinelOne has identified several ransomware families following suit and adopting intermittent encryption, including Qyick, Agenda, BlackCat (ALPHV), Play, and Black Basta.

The security industry may have to adapt to the new trend in order to improve its detection capabilities.

“Given the significant benefits to threat actors while also being practical to implement, we estimate that intermittent encryption will continue to be adopted by more ransomware families,” SentinelOne warned.

What’s hot on Infosecurity Magazine?