Most of the cybercriminals who are carrying out ransomware activities go unnoticed. Not only are they investigated by security and law enforcement companies, they are also heavily investigated for how they technically spread malware and how malware runs and works on websites. infected computer.
A new one report from SentinelOne reveals a new technique deployed by several ransomware groups, observed in the wild recently and known as “discontinuous encryption”.
What is discontinuous encryption?
The term can be confusing so it’s important to clarify it right away: discontinuous encryption is not encoding selected full files, but encoding x-bytes in a file.
According to the researchers, intermittent encryption allows for better evasion on systems that use statistical analysis to detect ongoing ransomware infections. This type of analysis is based on the intensity of the operating system’s file import and export operations, or on the similarity between the known version of the file and the suspected modified version. As a result, discontinuous encryption reduces the intensity of file import/export operations and presents a much higher similarity between the unencrypted and encrypted versions of a particular file, since only some bytes are changed in the file.
Intermittent encryption also has the benefit of encrypting less content but still rendering the system unusable, in a very short time frame, making it even harder to detect ransomware activity in the middle of the day. infection and when it encrypted the content.
One research of the BlackCat . Ransomware using different file sizes suggests that discontinuous encryption provides significant speed benefits for threat actors.
Historically, LockFile ransomware was the first family of malware to use intermittent encryption, in mid-2021, but several different ransomware families are currently using it.
UNDERSTAND: Mobile device privacy policy (TechRepublic Premium)
What threat groups are using intermittent encryption?
Also be aware that intermittent encryption is becoming more and more popular in underground forums, where it is being advertised now to attract more buyers or affiliates.
Qyick ransomware
SentinelOne researchers report that they saw an ad for a new commercial ransomware called Qyick on a popular crime forum from the Dark Web. An advertiser named lucrostm was previously seen as selling other software such as a remote access tool (RAT) and malware downloader, and also selling Qyick for prices ranging from 0.2 Bitcoin (BTC) to around 1.5 BTC depending on the option the buyer wants. One of the guarantees provided by lucrostm is that if a binary file of the ransomware family is detected by security solutions within six months of purchase, a large discount of 60 to 80% will be provided. for a new, undetected ransomware sample.
Ransomware written in the Go language, according to the developer, will accelerate the ransomware, in addition to using interrupt encryption (Figure A).
Picture A
Qyick is still a ransomware in development. While it doesn’t have filtering capabilities right now, future versions will allow its controller to execute arbitrary code, which is meant primarily for that purpose.
PLAY Ransomware
This ransomware was first seen at the end of June 2022. It uses intermittent encryption based on the size of the current file. It encodes 0x10000 byte parts in hexadecimal (1048576 bytes in decimal) and encodes two, three, or five parts, depending on the file size.
Ransomware Agenda
This ransomware is another piece of software written in the Go language. It supports a number of different interrupt encoding methods that the controller can configure.
The first option called “skip step” allows an attacker to encrypt every X MB (Megabyte) of a file, skipping a specified number of MBs. The second option named “fast” allows only the first NMB of the file to be encrypted. The last option, “percent”, allows only one percent of the file to be encrypted.
Black Basta ransomware
This ransomware has been working as a ransomware service (RaaS) as of April 2022. It is written in C++ language and its operators have used double ransomware with it, threatening victims to leak deceptive data if they do not pay the ransom.
Black Basta’s interrupt encryption encrypts 64 bytes each and skips 192 bytes, if the file size is less than 4KB. If the file is larger than 4KB, the ransomware will encrypt every 64 bytes but skip 128 bytes instead of 192.
BlackCat / ALPHV
BlackCat, also known as ALPHV, is a ransomware developed in the Rust language and is being served as a RaaS model. The very early threat group specialized in the use of blackmail schemes such as threatening their victims by leaking data or Distributed Denial of Service (DDoS) attacks.
BlackCat ransomware offers several different encryption modes for its controller, ranging from full encryption to integrated modes of intermittent encryption: it offers the ability to encrypt only the first N bytes of the file or just encode every N bytes and jump X bytes in between.
It also has more advanced encryption like splitting the file into different sized chunks and encrypting only the first P bytes of each block.
In addition to intermittent encryption, BlackCat also contains some logic for maximum possible acceleration: if the infected computer supports hardware acceleration, the ransomware uses AES (Advanced Encryption Standard) for encryption. Otherwise, it uses the ChaCha20 algorithm implemented entirely in software.
UNDERSTAND: Password Breach: Why Pop Culture and Passwords Don’t Go Together (Free PDF) (TechRepublic)
How to protect from this threat
You should always keep your operating system and all software running on it up-to-date and patched, to avoid being hit by a common vulnerability.
It is also recommended that you implement security solutions to try to detect the threat before the ransomware is launched on one or several computers.
Multi-Factor Authentication should also be implemented where possible, so that an attacker cannot just use the credentials to access the part of the network where they can run the ransomware.
Awareness should be raised for all users, especially regarding email, as it is one of the most used ransomware infection vectors.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.
