Security Awareness – Ransomware Threat Actors Adopting New Encryption Tactic

An increasing number of ransomware gangs are embracing a new tactic that allows them to encrypt their victims’ systems faster while reducing the odds of being detected, according to a new report from SentinelLabs. This tactic is known as intermittent encryption and involves encrypting only portions of the targeted files’ content, which still renders the data unrecoverable without a valid decryptor+key. For instance, “by skipping every other 16 bytes of a file, the encryption process takes almost half of the time required for full encryption but still locks the contents for good,” according to BleepingComputer. And since intermittent encryption exhibits a lower intensity of file IO operations, compared to normal encryption, automated detection tools may not be able to spot the occurrence of this tactic. SentinelLabs’s report traces the start of this tactic to LockFile ransomware actors, back in mid-2021. Now, other ransomware groups like Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick have adopted and actively promote it to encourage cyber criminals to join their Ransomware-as-a-Service operations. Access the full report at SentinelLabs or read a relevant news article here.