Intermittent encryption: The latest advance in the ransomware arms race
Network attackers and defenders have been facing off against each other for decades, in what has long been described as an “arms race” between the two. This description of their incremental efforts to gain technological advantage has got to be one of the oldest and well-used metaphors in the security lexicon by now. But it’s as relevant today as it was 15 years ago. If anything, the rate of innovation is actually accelerating.
That’s certainly a key takeaway from new research on the “intermittent encryption” techniques currently being advertised to ransomware affiliates. But is it enough to give the bad guys a lasting advantage? As long as security vendors continue to innovate in protection, detection, and response, there’s no reason why it should.
What is intermittent encryption?
The new technique outlined in this research is designed to achieve two things:
- Encrypt at speed, in order to scramble all of a victim organization’s files before they have a chance to detect and stop an attack
- Bypass current detection methods by reducing the intensity of file IO operations — that is, the similarity between a known version of a file unaffected by ransomware, and one suspected to have been modified and encrypted
Intermittent encryption helps to achieve the former because files are only partially encrypted. Thus, the ransomware still causes “irretrievable damage” but in an even shorter timeframe. LockFile variant was apparently one of the first to use this technique, encrypting every other 16 bytes of a file. A study of 10 discrete ransomware types earlier this year found that network defenders have on average just 43 minutes to mitigate attacks once encryption has begun.
Intermittent encryption helps to bypass detection because it disrupts the statistical analysis techniques used by many current security tools. These look for the intense file IO operations which partial encryption helps to minimize, making it harder to spot a modified file from one unaffected by ransomware.
The bad news is that these techniques have been detected in a growing number of variants, including: Qyick, Agenda, BlackCat (ALPHV), PLAY, and Black Basta. As it’s said to be relatively easily to implement, it could well become the norm among ransomware operators.
Breaches keep coming
Intermittent encryption isn’t the only example of technological innovation in ransomware. A recent report revealed threat actors exploiting vulnerabilities in popular VoIP software to access a targeted corporate network. While vulnerability exploitation in ransomware is nothing new — in fact, it’s a top three initial access vector, along with phishing and RDP attacks — it is a sign that threat actors are increasingly prepared to scour the attack surface for any potential security gaps they can find.
Other examples include targeting of network-attached storage (NAS) devices such as those produced by Taiwanese manufacturer QNAP. Popular among SMBs and consumers, these NAS boxes were recently patched by the vendor, but customers didn’t follow suit quickly enough. Researchers detected a recent 674% increase in devices infected by the Deadbolt ransomware as a result.
The ransomware threat will therefore continue to evolve in unexpected ways as threat actors look for new ways to deceive defenders and current security tooling. Most recently big-name organizations such as Texas-based OakBend Medical Center, Bell Canada and New York emergency responder Empress EMS. The threat is also expanding increasingly into the nation-state arena, with recent U.S. indictments of and sanctions on Iranian actors thought to be linked to Tehran. Critically, these individuals are accused of carrying out not only geopolitical attacks on other nation-states but also financially motivated raids on private businesses — ranging from accounting practices to regional utilities and housing providers.
Getting back on the front foot
It is the job of the security vendor community to continue monitoring these trends, anticipate where new threats may come from and update their products to neutralize any advantage attackers may gain. But their customers must also stay alert and be proactive in their security posture. That means layering up defenses to mitigate ransomware across those three key attack vectors. This will involve putting in place best practice security controls such as:
- Advanced anti-phishing capabilities, including AI-based detection
- User education and awareness programs
- Web application firewalls (WAFs) to shield data
- An automated, risk-based patching program
- Threat detection and response across multiple layers (XDR)
- Firewalls and other protection for IoT and OT environments
- Regular backups, including one offline copy
- Regularly tested incident response plans
SMBs should also consider adopting a Zero Trust approach to security to help mitigate the impact of ransomware. Key components include least privilege policies, network segmentation, multi-factor authentication and continuous monitoring. The ransomware arms race may not be winnable. But there’s plenty that security bosses can do to minimize cyber risk across their organization.