What is intermittent encryption and why do attackers use it?
© Igor Stevanovic / Science Photo Library / mauritius images
    alt txt



    In today's digital landscape, data security is of paramount importance. One of the many tools used to secure data is encryption, a process of converting information into an unreadable format to prevent unauthorized access. But what if we take this a step further? Enter, Intermittent Encryption.

    What is intermittent encryption?

    Intermittent encryption, as the name suggests, is a process in which data encryption occurs at irregular intervals. It’s a data security technique where data is sporadically encrypted and decrypted as it travels across a network.

    It refers to a method utilised by ransomware that doesn't encrypt the entirety of each file, but instead it selectively encrypts segments of each file, often blocks of a uniform size, or merely the initial portions of targeted files.

    Why do attackers use intermittent encryption?

    The surge in intermittent-encryption ransomware incidents can be attributed to its major advantage: enhanced encryption speed.

    The task of encrypting an entire enterprise's files can be time-consuming, and with security tools progressively adept at identifying ongoing cyberattacks, intermittent encryption ransomware can affect a larger number of files in a shorter duration by only targeting a portion of the company's data. 

    The increasing ubiquity of this form of ransomware is also due to the support of the ransomware-as-a-service (RaaS) sector. This service allows cybercriminals to bypass the complexities of malware coding by simply subscribing to an existing partial encryption ransomware variant. Consequently, the victim count of intermittent encryption ransomware has escalated into hundreds, encompassing sectors such as finance, higher education, and healthcare, causing firms to potentially incur losses amounting to hundreds of thousands of dollars.

    Attackers use intermittent encryption as a cloak of invisibility, a means to blend in, and a method to bypass traditional security systems. It's a technique that underlines the ever-evolving complexity of cyber threats and the need for continual advancements in cybersecurity measures. For cyber-criminals, it has significant advantages and fundamentally no downsides which is why more ransomware gangs are adopting this approach. 

    What are some of the main intermittent-encryption variants?

    A product of the notable and sophisticated ransomware group ALPHV gang, stands out for its early adoption of the Rust programming language.

    It provides various encryption modes and incorporates coding that allows it to adjust the speed of its attack based on the capabilities of the infected device. 

    This has been operational since at least July 2021, though it could have been active even longer due to its ability to evade detection.

    As a product of the LockBit ransomware gang, Lockfile primarily targets Microsoft Windows systems with known vulnerabilities. It uses the Windows Management Interface (WMI) to identify and terminate significant virtual machine processes, aiding in the file encryption process.

    This cunning approach makes the malware processes appear to originate from the system itself, thereby increasing the chances of the attack remaining unnoticed.

    The Agenda ransomware is notable for its multitude of adjustable parameters, such as its modes of intermittent encryption. It's built with the Rust programming language and includes three distinct partial encryption methods that primarily focus on the IT and manufacturing sectors but have also targeted critical sectors such as healthcare and education industries.

    Rust language is becoming more popular among threat actors as it is more difficult to analyze and has a lower detection rate by antivirus engines.

    A global network engaged in cybercrime employs destructive software to illegally extract money from its victims' banking accounts and orchestrate ransomware assaults. It is widely viewed as the most significant and damaging cyber hacking organisation in existence.

    The Evil Corp organisation is known for utilising custom strains of malware, such as JabberZeus, Bugat and Dridex to steal banking credentials from both businesses and consumers.

    How businesses can mitigate the risk of intermittent-encryption ransomware

    Guarding against the unpredictable nature of intermittent-encryption ransomware requires a comprehensive strategy. As it's a complex threat, the approach to combating it should be multi-dimensional.

    Ensuring endpoint security products are optimized to differentiate between legitimate and malicious activities is crucial.

    Equally as important is the establishment of a defense-in-depth strategy, and a strong cybersecurity culture throughout the organization, to stay ahead of ransomware's constant evolution.

    Five strategies which could be considered

    • Regular data backups: One of the most effective ways to reduce the damage from an attack is consistent data backups, ideally stored on media which is disconnected from the network, and which are also encrypted and tested for recovery integrity at least every six months. Whether you use traditional on-premises storage or cloud-based storage, ensuring these locations are immune to ransomware is important. Remember, ransomware can lurk in systems for weeks, infecting both backups and primary data sources.
    • System updates and patches: Keeping your software, operating system, and security tools updated is essential to avoid being vulnerable to newly discovered exploits.
    • Employee education: Regular training for employees can help them identify phishing scams, maintain strong password hygiene, and adopt safer online habits. Despite advancements in technology, human error is still a primary entry point for cyberattacks.
    • Trustworthy software use: Invest in high-quality anti-virus, anti-malware, and endpoint monitoring tools that can identify and neutralize ransomware threats.
    • Incident response plan: No cybersecurity measures are foolproof. Even with stringent precautions, a ransomware attack may occur. This makes it crucial to have a well-structured incident response plan, which includes procedures for incident reporting, isolating compromised devices, and restoring critical systems.

    Cyber security only goes so far

    Our cyber insurance solution goes further 

    What’s best for businesses of every size – small, medium, and blue-chip – is to plan for every eventuality, even a dreaded data breach. Any form of attack though could significantly impact a company, both financially and operationally, which is when cyber insurance could prove invaluable. 

    Our own product provides businesses with a simple, robust solution for a range of first party and third-party risks related to cyber-attacks, all backed by strong breach response and restorative support services.

    An introduction to Decoding Cyber

    We hope you agree on the importance of learning more about the world of cyber and its risks. To this end, we’ve created Decoding Cyber, an education tool designed to help brokers talk to their clients about cyber risks and coverage with confidence. 

    By continuing to supply brokers with insightful thought-leadership and engaging content, we can help increase awareness of the cyber threats that businesses face and increase cyber resilience within our industry and beyond.

    Matt Drinkwater, Cyber Underwriting Manager
    © Munich Re Specialty Insurance UK
    Cyber criminals don’t discriminate between the size of the business, or sometimes even the industry, but what they do is target an organisation’s defences, or lack of defences, and unfortunately the defences of an SME’s can be weaker than the defences of a larger company due to the size of their IT security budget. Therefore, the importance of a fit for purpose cyber insurance policy is vital to protect an SME.
    Matt Drinkwater
    NMU Cyber and Financial Lines Underwriting Manager

    Get in touch with us

    Businesses looking for more information on cyber insurance should contact their insurance broker.

    Insurance brokers looking for more information about our cyber insurance solution for their clients can contact their local NMU Development Underwriter.


    The information provided in this content is intended for UK insurance brokers acting on behalf of their prospective or existing clients.

    Any description is for general information purposes only and does not constitute an offer to sell or a solicitation of an offer to buy any product. Policyholders who have questions or wish to arrange or amend cover should contact their insurance broker. Insurance brokers can find details of how to contact us here.

    Any descriptions of coverage contained are meant to be general in nature and do not include nor are intended to include all of the actual terms, benefits, and limitations found in an insurance policy. The terms of any specific policy will instead govern that policy. Any guidance for UK insurance brokers is intended to provide general information only, and should not be used as a substitute for legal advice.

    Matt Drinkwater
    Matt Drinkwater
    Cyber & Financial Lines Underwriting Manager