Ransomware gangs using clever new technique to dance past security protections

Representational image of a cybercriminal
(Image credit: Pixabay)

Ransomware operators have come up with a new encryption method that makes locking files faster, and less likely to be noticed by antivirus and other cybersecurity solutions, researchers have found.

According to experts from SentinelLabs, a rising number of ransomware operators (including Black Basta, BlackCat, PLAY, and others) have started adopting a process called “intermittent encryption”, encrypting files partially, instead of completely. 

That way, the files are still rendered useless (unless the owners get a decryption key), but the encryption process takes significantly less time, with researchers adding they expect more groups to adopt the technique in the future.

Multiple approaches

Different groups approach intermittent encryption differently. Some will only encrypt the first few bytes of a file. Others will offer multiple choices, leaving it up to the ransomware deployers to decide. Some will break the files into multiple chunks, and encrypt only some of them. But whatever option they choose, they’re all equally dangerous, as this technique also helps them avoid endpoint protection tools, as well. 

As explained by the researchers, when looking for malware, automated detection tools look for intense file IO operations. As intermittent encryption isn’t that intense, it can often fly under the radar.

The only possible downside to the technique is that encrypting files partially might make it easier for the victims to recover them. 

Despite some researchers claiming ransomware’s losing steam, due to businesses deciding not to pay up, and opting for protections and backups instead, some threat actors are still quite active. Only last week, news broke of all schools in Los Angeles suffering such an attack, affecting 26,000 teachers and 600,000 students. It prompted the attention of the White House itself, alerting the Department of Education, the FBI and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

Via: BleepingComputer

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.