New ransomware trend: Why criminals increasingly rely on intermittent encryption
by Tina Siering
What are the advantages of intermittent encryption?
Previously deployed ransomware uses a key to encrypt the entire binary code of a file. This renders the file - a text document, for example - unusable. LockFile takes a different approach: the tactic of this ransomware is to encrypt only a few bytes within a file. The encrypted document therefore remains very similar to the original, is overlooked by protection technologies - and in some cases can even still be partially used by users. For text documents, for example, part of the content remains readable, but for other file formats that rely on a correct structure (e.g. PDFs), the entire file is corrupted by the mechanism. LockFile also has two peculiarities that distinguish it from conventional ransomware: The malware does not attack file extensions such as .exe or .dll files. The purpose: to keep the victims' operating system functional.
What exactly are the advantages of intermittent encryption for cybercriminals?
Compared to conventional ransomware, LockFile offers cybercriminals two advantages at once through intermittent encryption: obscuration and speed. Compared to conventional ransomware, LockFile offers cybercriminals two advantages at once through intermittent encryption: obfuscation and speed.
Current ransomware detection systems preferentially rely on statistical analyses. These analyses evaluate the similarity between an unmodified file and one suspected to have been modified by ransomware, or the intensity of input/output operations. LockFile encrypts only small 16-byte packets within a file, which results in the encrypted document being very similar to the original. The cloaking mechanism is strengthened by the fact that not the first blocks of a file are encrypted, but only the ones following them. Thus, statistical analysis is distorted and threat detection is additionally made extremely difficult.
Cybercriminals work against time in their attacks. This is because the longer an attack takes, the higher the probability that the attackers will be caught and stopped. Intermittent encryption is extremely fast and thus gives the hackers a significant time advantage.
How intermittent encryption works
LockFile exploits existing vulnerabilities in the ProxyShell of Microsoft Exchange servers to penetrate victims' networks. Once the ransomware arrives on a system, it encrypts only a small portion of the files - specifically not the first byte blocks, but the 16 bytes following the initial blocks. This throws off security technologies that rely on statistics to detect ransomware. The encrypted file remains statistically very similar to the original - which leads to many protection mechanisms not detecting the attack at all. Behavior-based anti-ransomware tools also do not provide reliable protection against LockFile. This is because the ransomware can use memory-mapped input/output to access documents extremely quickly, even in cache memory, encrypt them, and then command the operating system to write the file to disk in a separate process from the attack. And that's not all: unlike traditional ransomware, LockFile also does not require a connection to a command and control center. Instead, it uses the Windows Management Interface (WMI) command line tool installed by default for communication. WMI is used to terminate processes related to database management and virtualization. Among other things, this ensures that by using WMI as an intermediary, it is not immediately obvious that legitimate processes have been shut down by the ransomware. Consequently, no suspicious connections originate from the victim system, which makes it especially difficult to detect LockFile in time.
These RaaS providers rely on intermittent encryption
Ransomware-as-a-Service (RaaS) is a service offering in the field of cybercrime in which hackers rent or buy ready-made, preconfigured tools on the darknet. Expert knowledge is thus no longer required for cyber attacks; even beginners can launch complex attacks with little training time. The following RaaS providers currently use ransomware with intermittent encryption:
Black Basta first appeared in April 2022. Suspicions suggest that Black Basta emerged from the Conti hacker group. The RaaS solution is based on the C++ programming language, can be used on Windows and Linux systems, and allows attackers to "double" blackmail their victims: in addition to encrypting the data, Black Basta operators also threaten victims with publishing the data on the Basta News website if the ransom is not paid.
Qyick is offered for sale as ransomware. Depending on the desired modifications by the buyer, the ransomware costs between 0.2 and 1.5 Bitcoins. For that, the cybercriminal not only gets the tool, but a guarantee on top: if the malware is detected within six months of purchasing security tools, the operator will provide a new version with a discount of up to 80%.
The PLAY ransomware is brand new on the market. The malware has only been known since the end of June 2022 and has been used to attack high-value targets ever since. PLAY cannot be configured by the user, but always performs intermittent encryption according to the size of the target file. PLAY is particularly notable for its reduced extortion letter. While other RaaS providers rely on big words here, PLAY makes do with a single word - namely PLAY - and an email address to contact the blackmailer.
Written in Go, the Agenda ransomware is currently used mainly for cyberattacks on healthcare facilities and the education sector in Asia and Africa. Agenda offers numerous customization options, including the option to change file names or the processes to be terminated during an attack.
Protect against the threat of intermittent encryption
Due to the numerous advantages for cybercriminals in combination with the easy availability, it can be assumed that intermittent encryption will be increasingly used in the near future. It is therefore imperative that companies upgrade their security measures accordingly and adapt them to the new threat.
To keep LockFile and other ransomware variants with intermittent encryption out of the networks of companies and organizations, or to initiate timely defensive measures in the event of a security incident, our cyber defense experts recommend a strategy of endpoint protection and incident response (IR) readiness approaches in response to the new threat.
- Endpoint Protection
With an Endpoint Protection platform, preventative security is provided at the point of entry. Endpoint Protection blocks known malware through integrated protection mechanisms and signature-based malware defense mechanisms.
- IR Readiness
With customized incident response readiness, organizations have policies and processes in place to appropriately handle security incidents. The recommended actions represent optimal preparation for an emergency.
LockFile is not some new ransomware, but an acute threat that worries security experts. The ransomware relies on intermittent encryption, does not connect to command and control servers, and encrypts data extremely quickly. Enterprises need to respond immediately to the new threat landscape, as intermittent encryption is expected to become one of the cybercrime trends of the near future. By securing all endpoints in the network and having a carefully crafted incident response readiness, companies can meet the new challenges. We would be happy to advise you on the necessary measures in a personal meeting. Why not get in touch with us right now!