"Strike Force: Why Ransomware Groups Feel the Need for Speed"

The faster cryptocurrency-locking malware can encrypt a victim's files and delete the originals, the less likely the attack will be detected and stopped. Furthermore, the less time it takes to carry out an attack, the more victims a malicious actor can target. According to cybersecurity firm SentinelOne researchers Aleksandar Milenkoski and Jim Walter, there is a new trend on the ransomware scene, which is intermittent encryption, or the partial encryption of victims' files. On the black market, at least two new ransomware variants are currently pitching this feature. The researchers expect more ransomware families to use intermittent encryption in the future. Attacks can move faster when files are only partially encrypted, especially when dealing with large files. Milenkoski discovered that using intermittent encryption for a 50 GB file saved about 2 minutes compared to full file encryption after reverse-engineering how BlackCat ransomware encrypts files. Even with intermittent encryption, the file was sufficiently scrambled to render it unrecoverable without a decryptor or a backup. Intermittent or partial encryption is not a new tactic, as the SentinelOne researchers acknowledge in their study. A Sophos report from September 2021 detailed a new type of ransomware known as LockFile, which encrypts every 16 bytes of a file. Sophos researchers have never seen this approach used before. Even then, the method was not exactly novel. LockBit 2.0, DarkSide, and BlackMatter ransomware, for example, are all known to encrypt only a portion of the files they target. This article continues to discuss ransomware gangs increasingly adopting intermittent or partial encryption to ransom victims faster.

InfoRiskToday reports "Strike Force: Why Ransomware Groups Feel the Need for Speed"