There is a new trend in ransomware: In order to be faster and avoid detection, attackers rely on partial (intermittent) encryption of the files. As the SentinelLabs blog reports, security functions can also be outwitted in this way. A new danger!
SentinelOne experts are observing a new trend in the ransomware scene – intermittent encryption or partial encryption of victims' files. This encryption method helps ransomware operators bypass detection systems and encrypt victims' files faster. Instead of encrypting an entire file, the process only takes place for all 16 bytes of a file. SentinelOne observes that ransomware developers are increasingly adopting the feature and heavily promoting intermittent encryption to attract buyers or partners.
Dangerous: Intermittent encryption
The new ransomware feature makes upcoming attacks particularly dangerous because they happen very quickly. But that's just one danger point. Here are the other dangers:
Speed
Encryption can be a time-consuming process, and time is of the essence for ransomware operators - the faster they encrypt victims' files, the less likely they are to be detected and stopped in the process. Intermittent encryption causes irreparable damage in a very short time.
bypass detection
Ransomware detection systems may use statistical analysis to detect ransomware operation. Such analysis can assess the intensity of file I/O operations or the similarity between a known version of a file that was not affected by ransomware and a suspected modified, encrypted version of the file. In contrast to full encryption, intermittent encryption helps to circumvent such analysis by having significantly lower intensity of file IO operations and much higher similarity between unencrypted and encrypted versions of a given file.
Not new, but unfortunately effective
In mid-2021, LockFile ransomware was one of the first major ransomware families to use intermittent encryption to bypass detection mechanisms by encrypting every other 16 bytes of a file. Since then, more and more ransomware operations have joined this trend.
In its blog post, SentinelOne reviews several recent ransomware families that use intermittent encryption to evade detection and prevention: Qyick, Agenda, BlackCat (ALPHV), PLAY, and Black Basta.
More at SentinelOne.com
About SentinelOne
SentinelOne provides autonomous endpoint protection through a single agent that successfully prevents, detects, and responds to attacks across all major vectors. Designed to be extremely easy to use, the Singularity platform saves customers time by using AI to automatically remediate threats in real-time for both on-premises and cloud environments.