"Ransomware Makes Use of Intermittent Encryption to Bypass Detection Algorithms"
SentinelOne has released a report on intermittent encryption, a new method used by a few ransomware groups. Intermittent encryption encrypts every x bytes in files rather than encrypting selected complete files. As a result, intermittent encryption enables better evasion on systems that use statistical analysis to detect an ongoing ransomware infection. The intensity of the operating system's file input and output operations, or the similarity between a known version of a file and a suspected modified version, are used in this type of analysis. Since only some bytes in the file are changed, intermittent encryption reduces the intensity of file input/output operations and leads to a much higher similarity between non-encrypted and encrypted versions of a specific file. Intermittent encryption also has the advantage of encrypting less content while still rendering the system inoperable in a short period of time, making it even more difficult to detect ransomware activity between the time of infection and the time it has encrypted the content. An examination of BlackCat ransomware using various file sizes revealed that intermittent encryption provides significant speed benefits to threat actors. Historically, LockFile ransomware was the first malware family to use intermittent encryption in mid-2021, but it is now used by several different ransomware families. Intermittent encryption has also grown in popularity in underground forums, where it is now being advertised to attract more buyers or affiliates. This article continues to discuss the concept of intermittent encryption, which threat groups are using intermittent encryption, and how to combat this threat.