In order to reduce the time window for anti-virus software and other protection measures to react, some ransomware variants no longer completely encrypt files and can finish their work faster before they are detected. Partial encryption is another piece of the cat-and-mouse game between ransomware makers and security tool vendors.
Less time, greater chance of success
Security researchers from SentinelLabs observed this new approach. Instead of encrypting an entire file, the process only takes place for all 16 bytes of a file. This reduces the period of time that malware is active on a computer. Despite the shortened encryption, victims can no longer open their files and still need the key, which criminals only give out for a ransom.
At the same time, the time interval in which a virus scanner can react is reduced. In addition, fewer hard disk accesses take place in this way. Some anti-ransomware tools analyze such traffic to identify suspicious behavior. Accordingly, such protective measures could come to nothing.
Popular approach
The security researchers state that they observed LockFile as the first ransomware trojan to use this tactic in mid-2021. More ransomware developers have now embraced the approach. The encryption trojans Agenda, BlackCat and Black Basta, among others, are said to operate in this way.
In their analysis, the researchers found out that Black Basta even offers different encryption modes. In addition to full encryption of a file, this can be done in specific byte blocks, as described. However, it is also possible that only the header is encrypted. An auto mode can switch the different modes on execution. On top of that, malware developers are said to be constantly working on the encryption algorithms to increase speed.
