Numerous ransomware groups were seen using a new tactic called Intermittent Encryption which encrypts targeted systems quickly. The tactic enables threat actors to alleviate the chances of being detected and obstructed by security solutions.
Researchers noted that threat actors heavily abuse the new tactic since it allows them to have a more controlled environment inside a targeted network. The new tactic includes encrypting selected parts of a targeted file’s content. It would also leave the data unusable while significantly reducing the ransomware campaign’s encryption time.
The automated tools that primarily detect trouble in file IO operations are expected to be worthless since the Encryption is partial. The encryption process for this method is quicker than other attacks since it uses Intermittent Encryption with malware coded in the Go language (Golang).
The Intermittent Encryption tactic became a primary weapon for a particular ransomware group.
According to cybersecurity researchers, the LockFile ransomware group has used the Intermittent Encryption tactic for more than a year. Researchers first spotted them using such a technique in the middle of last year.
The popularity and consistency of the technique have attracted several other ransomware groups, such as Black Basta, Agenda, ALPHV, PLAY, and Qyick. These groups have seen the encryption method’s potential, which is why all the mentioned groups have adopted it in their recent attacks.
In addition, these groups are endorsing intermittent encryption tactics to recruit potential affiliates to join their Ransomware-as-a-Service operations. The best example is that the Agenda ransomware group offered its customers intermittent encryption functionality as a configurable setting.
An identical feature was also performed by the BlackCat (ALPHV) ransomware recently.
Intermittent Encryption has several advantages that cybercriminals could abuse. Hence, experts expect that more groups will employ similar tactics soon.
Therefore, organisations should invest in competent anti-ransomware solutions with behaviour-based detection. Additionally, potential targets should always have a reliable backup for sensitive data to mitigate any associated dangers.