Ransomware Groups Make The Move To Intermittent Encryption

In a cyberattack, time is of the essence for both attackers and defenders. To both accelerate the ransomware encryption process and make it harder to detect, cybercriminal groups have started using a new technique: intermittent encryption.

Essentially, this allows the ransomware encryption malware to partially encrypt files or only encrypt parts of the files. The features of this program are designed to increase attackers' speed, reducing the chances of being detected and having the email threat shut down. This article will discuss the case of LockFile, how it managed to get past email security measures, and how to protect your sensitive data from this new tactic.

What is LockBit and How Does It Work?

LockBit is one of many types of ransomware active in cyberattacks since at least the second half of 2021. Its popularity increased with the launch of LockBit 2.0, which was developed using the Assembly and Origin C programming languages, the leverages of Advanced Encryption Standards (AES) and Elliptic-Curve Cryptography (ECC) algorithms to encrypt victim data. LockBit 2.0 has evolved to include the ability to encrypt networks via group policy updates and can be automatically distributed through a Windows domain with no scripts.

LockBit is a subclass of ransomware known as a 'crypto virus' that forms ransom requests around financial payment in exchange for decryption. It was formerly known as "ABCD" ransomware before it evolved into a unique threat in the scope of extortion tools.

LockFile ransomware, also known as LockFile45, is a new type of ransomware that encrypts files and demands ransom in exchange for a decryption key. It is a new strain of the same ransomware family as LockBit.

Both ransomware variants use robust encryption algorithms, which makes it difficult to decrypt files without a decryption key, rendering the systems inaccessible. As a result, victims of LockBit and LockFile must pay a ransom to regain access to their data and systems.

Intermittent encryption is a new technique cyber attackers use to evade detection by cybersecurity platforms. As the name suggests, intermittent encryption only encrypts part of the file, alternating between sections of the data that will have their content altered and others that will be skipped over. This type of encryption is done sequentially rather than targeting specific data areas.

Intermittent encryption is an exceptionally deceptive attack method. It keeps CPU usage low and processes behavior in line with "normal system behavior," making it much harder to detect for conventional and behavior-based ransomware tools. Since it can avoid detection, it has become popular among ransomware gangs. These types of ransomware have successfully prevented cybersecurity products like endpoint threat protection, extended detection and response (XDR), and other security defenses from picking up on the malware ransomware. Moreover, security analysts expect more ransomware gangs to adopt this approach shortly due to its significant advantages and virtually no downsides.

How Do Attackers Use Intermittent Encryption?

Malware can quickly attack a system by encrypting an entire file. However, encrypting small file blocks is a more sneaky approach that takes less time to complete the attack. Time is a critical factor for malicious hackers, and encrypting gigabytes or terabytes of data can be time-consuming compared to encrypting a few 10-megabyte blocks.

Intermittent encryption modifies only small portions of a file, mimicking legitimate software that updates small file blocks. When compressed blocks in a legitimate file become corrupt, the whole file becomes unreadable. Similarly, if only part of a file is modified by ransomware, the entire file becomes unusable.

Hackers increasingly use intermittent encryption, thanks to various automated implementations available through ransomware as a service (RaaS), a subscription service model that enables hacker affiliates to use predeveloped ransomware tools to launch attacks. 

Intermittent encryption can get around some of the protection used by anti-ransomware tools. By encrypting files in small intervals, ransomware attackers can avoid detection or extend the time it takes for their activity to be detected and stopped by cybersecurity platforms. This practice can also make it more difficult for anti-ransomware tools to recover files.

Security analysts anticipate that more ransomware gangs will adopt intermittent encryption due to its significant advantages and few downsides. The LockBit strain is already known for its fast encryption speeds, and adopting partial encryption would further reduce the duration of their attacks to mere minutes.

However, cybercriminals must implement intermittent encryption correctly to ensure victims cannot easily recover their data. Encryption is a complex process; implementation mistakes could compromise the attack's effectiveness.

Currently, BlackCat's implementation of intermittent encryption is the most advanced. In contrast, the details of Qyick's implementation remain unknown since malware analysts have yet to analyze samples of the new Ransomware-as-a-Service (RaaS).

How Can I Prevent a Ransomware Attack?

The vendor community monitors emerging trends, anticipates new threats, and updates its products to prevent attackers from gaining an advantage against malware protection and other cybersecurity tools. Customers must also remain vigilant and take proactive measures to secure their systems with adequate ransomware protection provided by a comprehensive cloud email security software solution. Layered defense mechanisms are necessary to mitigate ransomware attacks. The best practices for email security and controls include:

  • AI-based detection capabilities for advanced anti-phishing
  • User education and email security awareness programs
  • Web application firewalls (WAFs) to ensure data loss prevention
  • An automated, risk-based patching program
  • Advanced threat protection and response across multiple layers (XDR)
  • Firewalls and other protective measures for IoT and OT environments
  • Regular backups, including offline copies
  • Regularly tested incident response plans

SMBs should also consider a Zero Trust security approach to reduce the impact of malware ransomware. This strategy's key components are minor privilege policies, network segmentation, multi-factor authentication (MFA), and continuous monitoring. Although the ransomware threat may be persistent, email security leaders can take steps to minimize cyber risk across their organizations. ther things to consider to prevent an intermittent encryption attack include:

  • Keep your software updated: Ensure you have the latest security patches installed for your operating system, antivirus software, and other applications. This will help prevent vulnerabilities that any type of ransomware can exploit.
  • Use strong passwords: Be sure you use strong passwords that are difficult to guess and consider using a password manager to help you organize them. Weak passwords are easy for hackers to crack, giving them access to your system much easier.
  • Backup your data: Regularly back up to an external hard drive or cloud-based storage service. Frequent backups enable you to recover your data if it is encrypted by ransomware.
  • Be cautious of email attachments: don't open attachments from unknown senders or suspicious emails since they can contain malicious software that could infect your computer.
  • Use anti-malware software: Install and use reputable anti-threat protection software to detect and remove malicious software from your computer. This software can also help prevent ransomware attacks.
  • Train your employees: Educate your employees on how to recognize and avoid phishing email attacks and suspicious links. This will help prevent ransomware attacks that rely on social engineering tactics.

Cyberattack Exposes Student Records, COVID-19 Test Results, and Personal Information 

The Los Angeles Unified Schools (LAUSD) recently confirmed that a ransomware attack and a data leak compromised the assessment records, driver's license numbers, and Social Security numbers for approximately 2,000 current and former students. LAUSD stated that an investigation into the cyberattack also revealed positive COVID-19 results as part of the breach.

According to the senior IT infrastructure administrator, some records date back nearly three decades, resulting in time-consuming analyses. The "significant disruptions" did not lead to school closures, and LAUSD created an independent IT task force composed of cybersecurity experts. This team was tasked with creating a set of recommendations and providing monthly status updates. Later, LAUSD announced that a criminal group released an illegally obtained dataset online.

LAUSD said that it had notified some of the individuals and vendors affected by the attack and would continue to do so until all details are known and further analysis is conducted. The experience LAUSD dealt with in regard to ransomware proves how important it is to implement safety measures to combat all types of ransomware attacks.

Keep Learning About Ransomware Prevention

Extra vigilance is required for businesses to defend against the ransomware tactic of intermittent encryption. Faced with this new trend, organizations must make the change to early prevention and focus on the early stages of ransomware attacks.

In this article...

Must Read Blog Posts

Latest Blog Articles