New encryption tactic speeds up hacking by 2 times

2 weeks ago · 4 comments

Ransomware groups have adopted a new tactic that helps them encrypt their victims' systems faster, while reducing the chances of being detected.

This tactic is called discontinuous encryption and consists of encrypting only part of the target files, for example skipping every 16 bytes of a file, the encryption process takes almost half the time required for full encryption, but locks the contents forever.

Also, since the encryption is intermittent, automatic detection tools that rely on intensive file I/O operations will not be able to detect malicious activity.

SentinelLabs has published a report examining tactics started by LockFile in mid-2021 and already being used by the Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick factions. These groups are actively promoting the discontinuous encryption feature in their RaaS programs.

The Agenda ransomware offers discontinuous encryption as an optional and configurable option. 3 possible partial encryption modes:

The implementation of discontinuous encryption in BlackCat also provides operators with a choice of configuration in the form of different byte skip patterns. For example, malware can:

The recent PLAY ransomware attack on the Argentine judiciary was also carried out using discontinuous encryption. PLAY splits the file into 2, 3 or 5 fragments, depending on the size of the file, and then encrypts each remaining fragment.

Grouping Black Basta encrypts the entire contents of small files up to 704 bytes in size. For files ranging in size from 704 bytes to 4 KB, it encrypts 64 bytes and skips 192 bytes in between. If the file size exceeds 4 KB, Black Basta reduces the size of the intact intervals to 128 bytes, while the size of the encrypted part remains at 64 bytes.

Discontinuous encryption has significant advantages and virtually no disadvantages, so security analysts expect more groups to use this approach in the near future.

The LockBit strain is already a leader in encryption speed. And the discontinuous encryption technique will cut the duration of a LockBit attack to a couple of minutes.

User Reviews

Guest 2 weeks ago

So smart, and so mean.

Guest 2 weeks ago

Some of these encryptors only encrypt the first 4kbytes of a file as well. Might be enough for some databases to fail to recognize a data file, but there's plenty of data types where the program may ignore the encrypted area

Guest 2 weeks ago

Naturally the gangs will adapt to those changes, but data security and integrity is always a game of cat and mouse. Robust file read integrity is just one more tool in data defense.

Guest 2 weeks ago

There will not be much more of cat and mouse, once quantum computers will bcome available.