Alex - stock.adobe.com
An emerging tactic amongst several ransomware groups has heightened concerns, but infosec experts say it's likely not going to be a game changer.
Known as intermittent encryption, the new attack method has been spotted by researchers in both in-the-wild samples and advertisements posted to dark web cybercrime forums. In recent months, notorious ransomware gangs such as BlackCat/Alphv and Black Basta have adopted the technique
As the name suggests, an intermittent encryption attack only encrypts part of the file, alternating between sections of a file that will have their data altered and others that will be skipped over. Threat analysts say the encryption is done sequentially rather than targeting specific sections of the data.
As the first samples emerged last year, researchers speculated on why the ransomware would be designed to only encrypt some of the victims' data. One theory presented by Sophos was that the selective encryption of data was a way to thwart detection.
In a report published in August 2021, Mark Loman, director of engineering for next-gen technologies at Sophos, explained how LockFile ransomware samples were encrypting every other 16 bytes of a file in order to beat the chi-squared (chi^2) statistical analysis used by some ransomware protection products.
"An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061. If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted," Loman wrote. "If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811."
Who's at risk
Recent reports on intermittent encryption, including a SentinelLabs research post from SentinelOne last month, show the technique has gained traction with other ransomware gangs. Jim Walter, threat researcher with SentinelOne, told TechTarget Editorial the technique could be a way to get around some of the protections used by anti-ransomware tools, specifically older ones.
"With most modern security technologies, the change does not affect insight into the attack. That is not true with older platforms and 'legacy' products," Walter explained.
"Those vendors that exist in this new space already can swiftly adapt and respond to these TTPs [tactics, techniques, and procedures]. We put a lot of effort into detecting these sorts of techniques and do so effectively. The attackers are clearly trying to evade systems that aren't as well hardened."
Other researchers, however, believe that the opposite may be true: the intermittent encryption technique could be more effective when deployed against the new detection methods that rely on statistical analysis of customer data like chi-squared.
"Intermittent encryption is a countermeasure that affects real ransomware protection that focuses on content analysis to detect file encryption," Loman told TechTarget editorial.
"Machine learning, signature-based file scanning or file and process behavior detection are not affected because they lack this effective ransomware protection -- they focus on other things except file encryption. So this countermeasure is actually more effective against newer tools."
Dick O'BrienPrincipal intelligence analyst, Symantec
Whether there is an improvement in evading some detections or not, most researchers do not seem to think that intermittent encryption is anything near a superweapon that will create uncatchable ransomware.
In fact, some experts believe that evading detection tools is not even the primary goal of those using the technique. In a recent blog post, Symantec's Threat Hunter Team detailed how BlackCat/Alphv, also known as Noberus, used the technique for quicker file encryptions.
Dick O'Brien, principal intelligence analyst with Symantec, said that if there is any real improvement with the technique, it's that it lets ransomware gangs lock victims' data faster.
"We think they are looking at it purely for speed," O'Brien told TechTarget Editorial. "If it can evade some detections, that is more of an accident than an intent. For ransomware groups, speed is very important."
O'Brien noted that if a ransomware operator can get in and out of a target's network quickly, they can avoid detection. But that would come from simply encrypting the data faster rather than moving silently and bypassing analysis tools.
"This is not a game-changer is the takeaway here, and the usual advice and mitigations apply to intermittent encryption," O'Brien said. "The only thing you can say is given the speed [increase], those practices are more important than they were."