Security News > 2022 > September > Ransomware makes use of intermittent encryption to bypass detection algorithms
A study of BlackCat ransomware using different file sizes revealed that intermittent encryption brings significant speed benefits to threat actors.
Historically, LockFile ransomware has been the first malware family to make use of intermittent encryption, in mid-2021, yet several different ransomware families are now using it.
The ransomware is written in Go language which, according to the developer, would speed the ransomware, in addition to the use of intermittent encryption.
Black Basta's intermittent encryption encrypts every 64 bytes and skips 192 bytes, if the file size is less than 4KB. If the file is greater than 4KB, the ransomware encrypts every 64 bytes but skips 128 bytes instead of 192.
BlackCat ransomware offers several different encryption modes to its controller, from full encryption to modes integrating intermittent encryption : it offers the ability to only encrypt the first N bytes of files, or to encrypt only every N byte and jump X bytes in between.
Aside from intermittent encryption, BlackCat also contains some logic to speed up as much as possible: if the infected computer supports hardware acceleration, the ransomware uses AES for encryption.