Multiple ransomware groups have been observed using a new tactic to encrypt their victims' systems faster. This new tactic allows attackers to limit the chances of being detected and stopped.

How does it work?

  • The new tactic is termed intermittent encryption which includes the encryption of only parts of the targeted files' content. This would leave the data unusable, while drastically reducing the encryption time required.
  • Since the encryption is partial, the automated detection tools that mostly spot signs of trouble in the form of file IO operations are expected to be useless.
  • Using intermittent encryption with malware written in Go language, which is a platform-independent language, hastens the encryption process.

Who is using this tactic?

A report has been posted with claims that the LockFile ransomware group started using this new tactic around mid-2021. 
  • Now, the tactic is used by Black Basta, PLAY, Agenda, Qyick, and ALPHV (BlackCat) ransomware gangs as well.
  • These groups are promoting intermittent encryption tactics to lure potential affiliates to join RaaS operations.
  • For e.g, the Agenda ransomware offers an intermittent encryption feature as an optional and configurable setting to its affiliates. The same thing is followed by BlackCat ransomware.


Intermittent encryption has major advantages in favor of cybercriminals. Thus, analysts expect more threat groups may switch to this tactic in the near future. Therefore, organizations are suggested to invest more in anti-ransomware solutions with behavior-based detection as well as a reliable backup of sensitive information to reduce the associated risks.
Cyware Publisher