Intermittent Encryption, Attackers’ New Approach to Ransomware

Over the years, groups that attack companies through ransomware they evolved their techniques, introducing double extortion and triple extortion, so as to be more likely to see the ransom paid, even if the technicians were able to quickly restore systems from backups. Even countermeasures have become more effective over time and the most advanced solutions available today are able to identify attempts to encrypt files, blocking them at the first sign and thus preventing the infection from spreading to the entire infrastructure.

However, there is a new technique that attackers are using to disguise their activities: the intermittent encryption.

Veeam raises the alarm: watch out for intermittent encryption

Veeam researchers have discovered a new tactic used by cybercriminals, intermittent encryption. The concept is very simple: given that file encryption is a demanding operation, which puts the computing resources of the infrastructure under strain, it is relatively simple to identify attempts at a ransomware attack even just by analyzing sudden CPU load peaks. If detected, the company’s technicians are able to promptly block the attacks, greatly reducing the damage.

The criminals have therefore devised a new method that does not encrypt all data, but is limited to certain parts of the filesalso using type attacks fileless (i.e. without downloading anything to the hacked computer disks) to reduce the risk of interception. In doing so, they manage to keep the processor occupation low, making detection more difficult and at the same time creating serious damage: it is in fact sufficient to encrypt only a portion of it to make a file unrecoverable, unless you have the key.

The best protection remains prevention

As Veeam experts point out, today ransomware is a real industry, with various criminal groups dealing with various aspects. There are those who go looking for the victims, those who find ways to access the systems and compromise them, those who manage the negotiations with the victims. And they often use multiple types of attacks simultaneously to maximize the chance of success.

The best way to protect yourself according to Veeam (but not only) is all in all simple: update and to patch regularly services and applications. This is because most attacks are successful precisely because they leverage known but not yet patched vulnerabilities. In words it is simple, but in reality it is not so obvious, both because the most complex infrastructures include thousands of services, and because in some cases restarting a server to update it would interrupt operations.

It is therefore essential to also include a valid backup strategy, such as the 3-2-1, which provides for three backup copies of the data on at least two different supports and one of which is off-site.