Ransomware actors are increasingly using a new method called intermittent encryption, or partial encryption of victims’ files in their ransomware attacks to evade detection and encrypt victims’ files faster. SentinelLabs researchers said they observed ransomware developers increasingly adopting the new feature and advertising the technique to attract new customers.

The researchers explained that intermittent encryption is important for threat actors because it works faster and does irretrievable damage in a very short time frame, and it also helps to stay hidden from ransomware detection systems.

Lockbit was the first ransomware operation who utilized intermittent encryption (in mid-2021). Qyick, Agenda, BlackCat (ALPHV), PLAY, and Black Basta ransomware were also observed using this method. The detailed technical analysis of each ransomware family is available in a SentinelLabs report.

“Intermittent encryption is a very useful tool to ransomware operators. This encryption method helps to evade some ransomware detection mechanisms and encrypt victims’ files faster. Given the significant benefits to threat actors while also being practical to implement, we estimate that intermittent encryption will continue to be adopted by more ransomware families,” the researchers concluded.