skip to Main Content

Cybercrime, Ransomware groups start using intermittent encryption

Ransomware groups start using intermittent encryption. Sentinel Labs cybersecurity experts: The goal is to evade detection and encrypt victims’ files faster. Last malware using this technique is Qyick

Ransomware groups start using intermittent encryption or partial encryption of victims’ files to evade detection systems and encrypt victims’ files faster.  This has been denounced by Sentinel Labs cybersecurity experts. Intermittent encryption is important to cybercrime actors from two perspectives:

  • Speed: Encryption can be a time-intensive process and time is crucial to ransomware operators – the faster they encrypt the victims’ files, the less likely they are to be detected and stopped in the process. Intermittent encryption does irretrievable damage in a very short time frame.
  • Evasion: Ransomware detection systems may use statistical analysis to detect ransomware operation. Such an analysis may evaluate the intensity of file IO operations or the similarity between a known version of a file, which has not been affected by ransomware, and a suspected modified, encrypted version of the file. In contrast to full encryption, intermittent encryption helps to evade such analyses by exhibiting a significantly lower intensity of file IO operations and much higher similarity between non-encrypted and encrypted versions of a given file.

LockFile has been in mid 2021 one of the first major malware families to use intermittent encryption. Since then. an increasing number of ransomware operations have joined the trend, as. Agenda, BlackCat (ALPHV), PLAY, and Black Basta. Last one is Qyick, advertised by the user lucrostm in a popular TOR-based crime forum.

Back To Top