What is intermittent encryption and why do attackers use it?

Authored by NMU

In today's digital landscape, data security is of paramount importance. One of the many tools used to secure data is encryption, a process of converting information into an unreadable format to prevent unauthorized access. But what if we take this a step further? Enter, Intermittent Encryption.

What is intermittent encryption?

Intermittent encryption, as the name suggests, is a process in which data encryption occurs at irregular intervals. It’s a data security technique where data is sporadically encrypted and decrypted as it travels across a network.

It refers to a method utilised by ransomware that doesn't encrypt the entirety of each file, but instead it selectively encrypts segments of each file, often blocks of a uniform size, or merely the initial portions of targeted files.

Why do attackers use intermittent encryption?

The surge in intermittent-encryption ransomware incidents can be attributed to its major advantage: enhanced encryption speed.

The task of encrypting an entire enterprise's files can be time-consuming, and with security tools progressively adept at identifying ongoing cyberattacks, intermittent encryption ransomware can affect a larger number of files in a shorter duration by only targeting a portion of the company's data.  

The increasing ubiquity of this form of ransomware is also due to the support of the ransomware-as-a-service (RaaS) sector. This service allows cybercriminals to bypass the complexities of malware coding by simply subscribing to an existing partial encryption ransomware variant. Consequently, the victim count of intermittent encryption ransomware has escalated into hundreds, encompassing sectors such as finance, higher education, and healthcare, causing firms to potentially incur losses amounting to hundreds of thousands of dollars.

Attackers use intermittent encryption as a cloak of invisibility, a means to blend in, and a method to bypass traditional security systems. It's a technique that underlines the ever-evolving complexity of cyber threats and the need for continual advancements in cybersecurity measures. For cyber-criminals, it has significant advantages and fundamentally no downsides which is why more ransomware gangs are adopting this approach.  

What are some of the main intermittent-encryption variants?

BlackCat

A product of the notable and sophisticated ransomware group ALPHV gang, stands out for its early adoption of the Rust programming language.

It provides various encryption modes and incorporates coding that allows it to adjust the speed of its attack based on the capabilities of the infected device.  

Lockfile

This has been operational since at least July 2021, though it could have been active even longer due to its ability to evade detection.

As a product of the LockBit ransomware gang, Lockfile primarily targets Microsoft Windows systems with known vulnerabilities. It uses the Windows Management Interface (WMI) to identify and terminate significant virtual machine processes, aiding in the file encryption process.

This cunning approach makes the malware processes appear to originate from the system itself, thereby increasing the chances of the attack remaining unnoticed.

Agenda

The Agenda ransomware is notable for its multitude of adjustable parameters, such as its modes of intermittent encryption. It's built with the Rust programming language and includes three distinct partial encryption methods that primarily focus on the IT and manufacturing sectors but have also targeted critical sectors such as healthcare and education industries.

Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.

Evil Corp

A global network engaged in cybercrime employs destructive software to illegally extract money from its victims' banking accounts and orchestrate ransomware assaults. It is widely viewed as the most significant and damaging cyber hacking organisation in existence.

The Evil Corp organisation is known for utilising custom strains of malware, such as JabberZeus, Bugat and Dridex to steal banking credentials from both businesses and consumers.

A product of the notable and sophisticated ransomware group ALPHV gang, stands out for its early adoption of the Rust programming language.

It provides various encryption modes and incorporates coding that allows it to adjust the speed of its attack based on the capabilities of the infected device.  

How businesses can mitigate the risk of intermittent-encryption ransomware

Guarding against the unpredictable nature of intermittent-encryption ransomware requires a comprehensive strategy. As it's a complex threat, the approach to combating it should be multi-dimensional.

Ensuring endpoint security products are optimized to differentiate between legitimate and malicious activities is crucial.

Equally as important is the establishment of a defense-in-depth strategy, and a strong cybersecurity culture throughout the organization, to stay ahead of ransomware's constant evolution.

Five strategies which could be considered

• Regular data backups: One of the most effective ways to reduce the damage from an attack is consistent data backups, ideally stored on media which is disconnected from the network, and which are also encrypted and tested for recovery integrity at least every six months. Whether you use traditional on-premises storage or cloud-based storage, ensuring these locations are immune to ransomware is important. Remember, ransomware can lurk in systems for weeks, infecting both backups and primary data sources.
• System updates and patches: Keeping your software, operating system, and security tools updated is essential to avoid being vulnerable to newly discovered exploits.
• Employee education: Regular training for employees can help them identify phishing scams, maintain strong password hygiene, and adopt safer online habits. Despite advancements in technology, human error is still a primary entry point for cyberattacks.
• Trustworthy software use: Invest in high-quality anti-virus, anti-malware, and endpoint monitoring tools that can identify and neutralize ransomware threats.
• Incident response plan: No cybersecurity measures are foolproof. Even with stringent precautions, a ransomware attack may occur. This makes it crucial to have a well-structured incident response plan, which includes procedures for incident reporting, isolating compromised devices, and restoring critical systems.

Cyber security only goes so far

Our cyber insurance solution goes further  

What’s best for businesses of every size – small, medium, and blue-chip – is to plan for every eventuality, even a dreaded data breach. Any form of attack though could significantly impact a company, both financially and operationally, which is when cyber insurance could prove invaluable.  

Our own product provides businesses with a simple, robust solution for a range of first party and third-party risks related to cyber-attacks, all backed by strong breach response and restorative support services.

Explore our cyber insurance solution

An introduction to Decoding Cyber

We hope you agree on the importance of learning more about the world of cyber and its risks. To this end, we’ve created Decoding Cyber, an education tool designed to help brokers talk to their clients about cyber risks and coverage with confidence.  

By continuing to supply brokers with insightful thought-leadership and engaging content, we can help increase awareness of the cyber threats that businesses face and increase cyber resilience within our industry and beyond.

Decoding Cyber - a broker's guide to the world of cyber

"Cyber criminals don’t discriminate between the size of the business, or sometimes even the industry, but what they do is target an organisation’s defences, or lack of defences, and unfortunately the defences of an SME’s can be weaker than the defences of a larger company due to the size of their IT security budget. Therefore, the importance of a fit for purpose cyber insurance policy is vital to protect an SME."

Matt Drinkwater, NMU Cyber and Financial Lines Underwriting Manager