Ransomware groups have adopted a new tactic that helps them encrypt their victims' systems faster, while reducing the chances of being detected.
This tactic is called discontinuous encryption and consists of encrypting only part of the target files, for example skipping every 16 bytes of a file, the encryption process takes almost half the time required for full encryption, but locks the contents forever.
Also, since the encryption is intermittent, automatic detection tools that rely on intensive file I/O operations will not be able to detect malicious activity.
SentinelLabs has published a report examining tactics started by LockFile in mid-2021 and already being used by the Black Basta, ALPHV (BlackCat), PLAY, Agenda, and Qyick factions. These groups are actively promoting the discontinuous encryption feature in their RaaS programs.
The Agenda ransomware offers discontinuous encryption as an optional and configurable option. 3 possible partial encryption modes:
- skip-step [skip: N, step: Y] - Encrypt every Y Mb of the file, skipping N Mb;
- fast [f:N] - Encrypt the first N Mb of the file;
- percent [n: N; p:P] - encrypt every N Mb of the file, skipping P Mb, where P is equal to P% of the total file size.
The implementation of discontinuous encryption in BlackCat also provides operators with a choice of configuration in the form of different byte skip patterns. For example, malware can:
- encrypt only the first bytes of the file;
- follow dot pattern;
- block a certain percentage of files;
- work in automatic mode, combining several modes to get a more intricate result.
The recent PLAY ransomware attack on the Argentine judiciary was also carried out using discontinuous encryption. PLAY splits the file into 2, 3 or 5 fragments, depending on the size of the file, and then encrypts each remaining fragment.
Grouping Black Basta encrypts the entire contents of small files up to 704 bytes in size. For files ranging in size from 704 bytes to 4 KB, it encrypts 64 bytes and skips 192 bytes in between. If the file size exceeds 4 KB, Black Basta reduces the size of the intact intervals to 128 bytes, while the size of the encrypted part remains at 64 bytes.
Discontinuous encryption has significant advantages and virtually no disadvantages, so security analysts expect more groups to use this approach in the near future.
The LockBit strain is already a leader in encryption speed. And the discontinuous encryption technique will cut the duration of a LockBit attack to a couple of minutes.