Ransomware makes use of intermittent encryption to bypass detection algorithms


Image: Adobe Stock

Most cybercriminals running ransomware operations are under the spotlight. Not only are they investigated by law enforcement and security companies, they are also heavily investigated in the way they technically spread their malware and the way that the malware runs and works on infected computers.

A new report from SentinelOne exposes a new technique deployed by a few ransomware groups, observed in the wild recently and called “intermittent encryption.”

What is intermittent encryption?

The term might be confusing so it seems important to clarify it immediately: intermittent encryption is not about encrypting selected full files, but about encrypting every x byte in files.

According to the researchers, intermittent encryption allows better evasion on systems that use statistical analysis to detect an ongoing ransomware infection. This kind of analysis is based on the intensity of the operating systems files input and output operations, or on the similarity between a known version of a file and a suspected modified version. Therefore, intermittent encryption lowers the intensity of file input/output operations and exhibits a much higher similarity between non-encrypted and encrypted versions of a specific file, since only some bytes are altered in the file.

Intermittent encryption has also the benefits of encrypting less content but still rendering the system unusable, in a very short time frame, making it even harder to detect ransomware activity between the infection time and the time it has encrypted the content.

A study of BlackCat ransomware using different file sizes revealed that intermittent encryption brings significant speed benefits to threat actors.

Historically, LockFile ransomware has been the first malware family to make use of intermittent encryption, in mid-2021, yet several different ransomware families are now using it.

SEE: Mobile device security policy (TechRepublic Premium)

What threat groups are using intermittent encryption?

It is also important to know that intermittent encryption has become increasingly popular in the underground forums, where it is being advertised now to attract more buyers or affiliates.

Qyick ransomware

SentinelOne’s researchers report that they saw an advertisement for a new commercial ransomware called Qyick in a popular crime forum from the Dark Web. The advertiser known as lucrostm has been previously seen as selling other software like remote access tools (RATs) and malware loaders, and sells Qyick at a price ranging from 0.2 Bitcoins (BTC) to approximately 1.5 BTC depending on the options the buyer wants. One of the guarantees provided by lucrostm is that if a binary of the ransomware family is detected by security solutions within six months of purchase, a generous 60 to 80% discount will be provided for a new undetected ransomware sample.

The ransomware is written in Go language which, according to the developer, would speed the ransomware, in addition to the use of intermittent encryption (Figure A).

Figure A

Advertisement for Qyick ransomware on a cybercrime underground forum.
Advertisement for Qyick ransomware on a cybercrime underground forum. Image: SentinelOne

Qyick is still a ransomware under development. While it has no exfiltration capabilities right now, future versions will allow its controller to execute arbitrary code, meant primarily for that purpose.

PLAY ransomware

This ransomware was first seen at the end of June 2022. It uses intermittent encryption based on the size of the current file. It encrypts chunks of 0x100000 bytes in hexadecimal (1048576 bytes in decimal) and encrypts two, three or five chunks, depending on the file size.

Agenda ransomware

This ransomware is another one written in Go language. It supports several different intermittent encryption methods which the controller can configure.

A first option named “skip-step” allows the attacker to encrypt every X MB (Megabyte) of the file, skipping a specified number of MB. A second option named “fast” allows the encryption of only the first N MB of files. The last option, “percent,” allows the encryption of only a percentage of the file.

Black Basta ransomware

This ransomware has served as a ransomware-as-a-service (RaaS) since April 2022. It is written in C++ language and its operators have been using double extortion with it, threatening the victims to leak exfiltrated data if they would not pay the ransom.

Black Basta’s intermittent encryption encrypts every 64 bytes and skips 192 bytes, if the file size is less than 4KB. If the file is greater than 4KB, the ransomware encrypts every 64 bytes but skips 128 bytes instead of 192.

BlackCat/ALPHV

BlackCat, also known as ALPHV, is a ransomware developed in Rust language and is being served as a RaaS model. The threat group specialized very early in using extortion schemes such as threatening its victims with data leak or distributed denial of service (DDoS) attacks.

BlackCat ransomware offers several different encryption modes to its controller, from full encryption to modes integrating intermittent encryption : it offers the ability to only encrypt the first N bytes of files, or to encrypt only every N byte and jump X bytes in between.

It also has more advanced encryption such as dividing files into blocks of different sizes and only encrypts the first P bytes of each block.

Aside from intermittent encryption, BlackCat also contains some logic to speed up as much as possible: if the infected computer supports hardware acceleration, the ransomware uses AES (Advanced Encryption Standard) for encryption. If not, it uses the ChaCha20 algorithm that is fully implemented in software.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

How to protect from this threat

It is advised to always keep the operating system and all software running on it up to date and patched, to avoid being compromised by a common vulnerability.

It is also advised to deploy security solutions to try to detect the threat before the ransomware is being launched on one or several computers.

Multi-factor authentication should also be deployed where possible, so that an attacker would not be able to use credentials only to access part of the network where he/she could run ransomware.

Awareness should be raised for every user, in particular regarding email, since it is one of the most used vectors of infection for ransomware.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.



Source link