Ransomware's Sneaky New Trick: Intermittent Encryption Is Here
- By Winston Thomas
- May 14, 2024
Ransomware is the digital gift that keeps on giving—and taking. Its power comes from its simplicity: anyone with a dash of malice can launch an attack. Its strength lies in its simplicity and reliance on social engineering.
“Anyone with malicious intent can now easily deploy ransomware,” warns Asaf Hecht, security research director at CyberArk Labs. “People are often too quick to click and install things on their computers.”
The proliferation of Ransomware-as-a-Service (RaaS) on the Dark Web, complete with victim profiling and help desks for bad actors, has only exacerbated the problem. The COVID-19 pandemic further fueled the ransomware explosion as companies rushed to digitize and embrace remote work, leaving them vulnerable to targeted attacks.
If only the ransomware story stopped here. But like everything else in cybersecurity, ransomware has had a major upgrade.
The changing face of ransomware
While the end goal (cold, hard cash or ethereal cryptocurrencies) hasn't changed, the methods have.
Ransomware-as-a-Service (RaaS) now comes with a side of victim profiling, letting attackers zero in on high-value prey. And backups? They're not the safety net they used to be.
"Sometimes the backup is done once a week or even if it's once a day," says Hecht. He offered an example where an S&P 500 company can't afford to have a one-hour gap in information. "This is why the organization also paid."
Yes, backup software and techniques have improved over time, as has the detection of mass encryption activities. Companies are also triangulating individual behaviors to see whether they are acting strangely or under duress to stop any activity that smells like denial of availability through encryption.
As companies beef up their defenses, ransomware gangs are getting creative. It's no longer just about locking you out of your data—what’s called denial of access.
They now frequently employ a combination of encryption and data exfiltration, threatening to release stolen data publicly if the ransom is not paid—often called denial of confidentiality.
Even more insidious is the rise of intermittent encryption. This technique selectively encrypts parts of files (in uniform blocks), making them unusable but not triggering traditional anti-ransomware measures.
Since only parts of files are encrypted, the attacks are swift and fly under the radar of traditional security tools.
That’s a major headache as it renders many security teams blind.
Flying with the White Phoenix
CyberArk's open-source tool, White Phoenix, offers a glimmer of hope.
It analyzes encrypted files and attempts to recover the original data using various algorithms and techniques. The Python source code is available on GitHub and at getmyfileback.com.
Hecht emphasizes that White Phoenix's primary goal is to help organizations combat intermittent encryption, not profit. CyberArk hopes to foster collaboration and accelerate its evolution by open-sourcing the tool as ransomware continues to adapt.
This tool can analyze encrypted files and attempt to recover the original data using various algorithms and techniques. Depending on the file type, size, and encryption method used by the ransomware, it could potentially restore some of the file content.
So why open source? Hecht takes a more altruistic tone, saying that the primary intent is not profits but helping companies deal with intermittent encryption. At the same time, it allows other companies to use it more effectively and evolve the tool as bad actors innovate further.
White Phoenix isn't a cure-all. It's specific on file types and has been tested on BlackCat/ALPHV, Play, Qilin/Agenda, BianLian, and DarkBit ransomware. The tool supports recovering data from files in formats like PDF, Word, Excel, PowerPoint, and Zip.
The tool works best when only a small portion of the file is encrypted. The tool also relies on finding unencrypted fragments that can be extracted and concatenated to recover the original data.
Of course, the ransomware creators will find new techniques or create new methods that will make it more difficult for White Phoenix in its current form.
However, as Hecht notes, as ransomware creators inevitably develop new techniques, tools like White Phoenix offer a fighting chance in the ongoing battle against this relentless threat. This counts in a ransomware landscape already co-opting AI into its arsenal.
Image credit: iStockphoto/sqback
Winston Thomas
Winston Thomas is the editor-in-chief of CDOTrends. He likes to piece together the weird and wondering tech puzzle for readers and identify groundbreaking business models led by tech while waiting for the singularity.