Ransomware Groups Make The Move To Intermittent Encryption

In a cyberattack, time is of the essence for both attackers and defenders. To both accelerate the ransomware encryption process and make it harder to detect, cybercriminal groups have started using a new technique: intermittent encryption.

Essentially, this allows the ransomware encryption malware to partially encrypt files or only encrypt parts of the files. The features of this program are designed to increase attackers' speed, reducing the chances of being detected and having the threat shut down. This article will discuss the case of LockFile, how it managed to get past security measures, and how to protect your sensitive data from this new tactic.

What is LockBit and How Does It Work?

LockBit is a type of ransomware active in cyberattacks since at least the second half of 2021. Its popularity increased with the launch of LockBit 2.0, which was developed using the Assembly and Origin C programming languages and leverages advanced encryption standards (AES) and elliptic-curve cryptography (ECC) algorithms to encrypt victim data. LockBit 2.0 has evolved to include the ability to encrypt networks via group policy updates and can be automatically distributed through a Windows domain with no scripts.

LockBit is a subclass of ransomware known as a 'crypto virus' that forms ransom requests around financial payment in exchange for decryption. It was formerly known as "ABCD" ransomware before it evolved into a unique threat in the scope of extortion tools.

LockFile ransomware, also known as LockFile45, is a new type of ransomware that encrypts files and demands ransom in exchange for a decryption key. It is a new strain of the same ransomware family as LockBit.

Both ransomware variants use robust encryption algorithms, which makes it difficult to decrypt files without a decryption key, rendering the systems inaccessible. As a result, victims of LockBit and LockFile must pay a ransom to regain access to their data and systems.

Intermittent encryption is a new technique cyber attackers use to evade detection by security software. As the name suggests, intermittent encryption only encrypts part of the file, alternating between sections of the data that will have their content altered and others that will be skipped over. This type of encryption is done sequentially rather than targeting specific data areas.

Intermittent encryption is an exceptionally deceptive attack method. It keeps CPU usage low and processes behavior in line with "normal system behavior," making it much harder to detect for conventional and behavior-based ransomware tools. Since it can avoid detection, it has become popular among ransomware gangs. Intermittent encryption is a new form of ransomware that has successfully prevented cybersecurity products like endpoint security, extended detection and response (XDR), and other security defenses. Moreover, security analysts expect more ransomware gangs to adopt this approach shortly due to its significant advantages and virtually no downsides.

How Do Attackers Use Intermittent Encryption?

Malware can quickly attack a system by encrypting an entire file. However, encrypting small file blocks is a more sneaky approach that takes less time to complete the attack. Time is a critical factor for malicious hackers, and encrypting gigabytes or terabytes of data can be time-consuming compared to encrypting a few 10-megabyte blocks.

Intermittent encryption modifies only small portions of a file, mimicking legitimate software that updates small file blocks. When compressed blocks in a legitimate file become corrupt, the whole file becomes unreadable. Similarly, if only part of a file is modified by ransomware, the entire file becomes unusable.

Hackers increasingly use intermittent encryption, thanks to various automated implementations available through ransomware as a service (RaaS), a subscription service model that enables hacker affiliates to use predeveloped ransomware tools to launch attacks. 

Intermittent encryption can get around some of the protection used by anti-ransomware tools. By encrypting files in small intervals, ransomware attackers can avoid detection or extend the time it takes for their activity to be detected and stopped. This practice can also make it more difficult for anti-ransomware tools to recover files.

Security analysts anticipate that more ransomware gangs will adopt intermittent encryption due to its significant advantages and few downsides. The LockBit strain is already known for its fast encryption speeds, and adopting partial encryption would further reduce the duration of their attacks to mere minutes.

However, cybercriminals must implement intermittent encryption correctly to ensure victims cannot easily recover their data. Encryption is a complex process; implementation mistakes could compromise the attack's effectiveness.

Currently, BlackCat's implementation of intermittent encryption is the most advanced. In contrast, the details of Qyick's implementation remain unknown since malware analysts have yet to analyze samples of the new Ransomware-as-a-Service (RaaS).

How Can I Prevent a Ransomware Attack?

The vendor community monitors emerging trends, anticipates new threats, and updates its products to prevent attackers from gaining an advantage. Customers must also remain vigilant and take proactive measures to secure their systems with adequate ransomware protection provided by a comprehensive cloud email security solution. Layered defense mechanisms are necessary to mitigate ransomware attacks. Best practices and security controls include:

• AI-based detection capabilities for advanced anti-phishing
• User education and awareness programs
• Web application firewalls (WAFs) to protect data
• An automated, risk-based patching program
• Threat detection and response across multiple layers (XDR)
• Firewalls and other protective measures for IoT and OT environments
• Regular backups, including an offline copy
• Regularly tested incident response plans

SMBs should also consider a Zero Trust security approach to reduce the impact of ransomware. This strategy's key components are minor privilege policies, network segmentation, multi-factor authentication (MFA), and continuous monitoring. Although the ransomware threat may be persistent, security leaders can take steps to minimize cyber risk across their organizations.

Some other things to consider to prevent an intermittent encryption attack include:

• Keep your software up to date: ensure you have the latest security patches installed for your operating system, antivirus software, and other applications. This will help prevent vulnerabilities that ransomware can exploit.
• Use strong passwords: ensure you use strong passwords that are difficult to guess, and consider using a password manager to help you manage them. Weak passwords are easy for hackers to crack, giving them access to your system.
• Back up your data: regularly back up to an external hard drive or cloud-based storage service. Frequent backups enable you to recover your data if it is encrypted by ransomware.
• Be cautious of email attachments: don't open attachments from unknown senders or suspicious emails. These attachments can contain malicious software that can infect your computer.
• Use anti-malware software: install and use reputable anti-malware software to detect and remove malicious software from your computer. This software can also help prevent ransomware attacks.
• Train your employees: educate your employees on how to recognize and avoid phishing emails and suspicious links. This will help prevent ransomware attacks that rely on social engineering tactics.

Cyberattack Exposes Student Records, COVID-19 Test Results, and Personal Information 

The Los Angeles Unified Schools (LAUSD) recently confirmed that a ransomware attack and a data leak compromised the assessment records, driver's license numbers, and Social Security numbers for approximately 2,000 current and former students. LAUSD stated that an investigation into the cyberattack also revealed positive COVID-19 results as part of the breach.

According to the senior IT infrastructure administrator, some records date back nearly three decades, resulting in time-consuming analyses. The "significant disruptions" did not lead to school closures, and LAUSD created an independent IT task force composed of cybersecurity experts. This team was tasked with creating a set of recommendations and providing monthly status updates. Later, LAUSD announced that a criminal group released an illegally obtained dataset online.

LAUSD said that it had notified some of the individuals and vendors affected by the attack and would continue to do so until all details are known and further analysis is conducted.

Keep Learning About Ransomware Prevention

Extra vigilance is required for businesses to defend against the ransomware tactic of intermittent encryption. Faced with this new trend, organizations must make the change to early prevention and focus on the early stages of ransomware attacks.

• Learn more about protecting your business from ransomware-as-a-service.
• Learn more about an effective email security solution that understands your relationships with others while gaining a deeper knowledge of your conversations with them.
• Learn more about developing a plan that is effective at protecting against ransomware.
• Learn more about traditional security solutions that fall short of ransomware prevention.
• Get the latest updates on how to stay safe online.