Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection

Keypoints

• Intermittent encryption is a technique used to encrypt only portions of files to speed up attacks and reduce detection by security tools.
• LockFile was one of the first major ransomware families to use intermittent encryption in mid-2021, encrypting every other 16 bytes of a file.
• Recent reviewed families featuring intermittent encryption include Qyick, Agenda, BlackCat (ALPHV), PLAY, and Black Basta.
• Qyick is Go-based, sold as a one-time purchase (0.2–1.5 BTC) with a discount if detected within 6 months.
• Agenda targets healthcare and education in Africa/Asia and offers configurable encryption modes like skip-step, percent, and fast.
• BlackCat (ALPHV) is a Rust-based RaaS with multiple encryption modes (Full, HeadOnly, DotPattern, SmartPattern, AdvancedSmartPattern, Auto) and uses AES with hardware acceleration or ChaCha20 in software.
• PLAY and Black Basta apply chunk-based intermittent encryption, with PLAY encrypting 0x100000-byte chunks and Black Basta varying patterns by file size, often resulting in visibly mixed encrypted/unencrypted content.
• BlackCat/ALPHV employs extortion tactics including data leaks and DDoS threats; Black Basta operates a double-extortion model and advertises data exfiltration on Basta News.
• The article concludes intermittent encryption is practical and likely to be adopted by more families, with SentinelOne Singularity capable of detecting these samples.