Intermittent encryption gaining traction in ransomware

BleepingComputer reports that intermittent encryption has been increasingly implemented by ransomware gangs in a bid to accelerate system encryption while curbing the odds of detection. While intermittent encryption, which involves encrypting selected portions of targeted files' content, was initiated by the LockFile ransomware operation in mid-2021, such an encryption technique has also been used by the ALPHV, PLAY, Black Basta, Agenda, and Qyick ransomware groups, a SentinelLabs report revealed. Intermittent encryption has been touted by the aforementioned ransomware operations, with Qyick promoting its "unmatched" speed. Meanwhile, such a feature is only optional in Agenda ransomware, which is offering three potential partial encryption modes, researchers found. Configuration choices are also being offered by ALHPV's intermittent encryption implementation but PLAY ransomware breaks files into chunks based on their file sizes. On the other hand, Black Basta's strain encrypts files based on their size, with only those smaller than 704 bytes being encrypted in their entirety.