{ "id": "5773355d-1f7e-4714-ada2-a3f19dbb9511", "created_at": "2026-04-06T00:19:44.044303Z", "updated_at": "2026-04-10T03:30:33.022186Z", "deleted_at": null, "sha1_hash": "1412d8a5221a15e39b57dad5dc9255194acdff84", "title": "Crimeware Trends | Ransomware Developers Turn to Intermittent Encryption to Evade Detection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1928593, "plain_text": "Crimeware Trends | Ransomware Developers Turn to Intermittent\r\nEncryption to Evade Detection\r\nBy Aleksandar Milenkoski\r\nPublished: 2022-09-08 · Archived: 2026-04-05 19:47:07 UTC\r\nBy Aleksandar Milenkoski \u0026 Jim Walter\r\nWe observe a new trend on the ransomware scene – intermittent encryption, or partial encryption of victims’ files.\r\nThis encryption method helps ransomware operators to evade detection systems and encrypt victims’ files faster.\r\nWe observe that ransomware developers are increasingly adopting the feature and intensively advertising\r\nintermittent encryption to attract buyers or affiliates.\r\nIntermittent encryption is important to ransomware operators from two perspectives:\r\nSpeed: Encryption can be a time-intensive process and time is crucial to ransomware operators – the faster\r\nthey encrypt the victims’ files, the less likely they are to be detected and stopped in the process.\r\nIntermittent encryption does irretrievable damage in a very short time frame.\r\nEvasion: Ransomware detection systems may use statistical analysis to detect ransomware operation. Such\r\nan analysis may evaluate the intensity of file IO operations or the similarity between a known version of a\r\nfile, which has not been affected by ransomware, and a suspected modified, encrypted version of the file.\r\nIn contrast to full encryption, intermittent encryption helps to evade such analyses by exhibiting a\r\nsignificantly lower intensity of file IO operations and much higher similarity between non-encrypted and\r\nencrypted versions of a given file.\r\nIn mid-2021, the LockFile ransomware was one of the first major ransomware families to use intermittent\r\nencryption for evading detection mechanisms, encrypting every other 16 bytes of a file. Since then an increasing\r\nnumber of ransomware operations have joined the trend.\r\nIn this post, we review several recent ransomware families that feature intermittent encryption in an attempt to\r\nevade detection and prevention: Qyick, Agenda, BlackCat (ALPHV), PLAY, and Black Basta.\r\nQyick Ransomware\r\nAt the end of August 2022, we observed a user named lucrostm advertising a new commercial ransomware called\r\nQyick in a popular TOR-based crime forum. We track the same user as an established vendor of other malicious\r\ntools including remote access tools and malware loaders.\r\nThe Qyick ransomware offering is a one-time purchase, as opposed to the more common subscription model. The\r\nprice ranges from .2 BTC to approximately 1.5 BTC, depending on the level of customization the buyer requires.\r\nThe buyer receives a compiled executable with a guarantee: if the ransomware is detected by security software\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 1 of 8\n\nwithin 6 months of purchase, the author will provide a new sample with a discount between 60% and 80% of the\r\noriginal price.\r\nQyick is written in Go and features intermittent encryption. lucrostm claims the apparent speed of the Qyick\r\nransomware is achieved through the use of intermittent encryption and the ransomware’s implementation in Go,\r\nhinting at the current trend of intermittent encryption in the ransomware threat scene.\r\n“Notably Qyick features intermittent encryption which is what the cool kids are using as you read this. Combined\r\nwith the fact that is written in go, the speed is unmatched.”\r\nQyick ransomware advertisement\r\nThe exact manner in which Qyick conducts intermittent encryption is open to investigation as samples become\r\navailable.\r\nThe current version of Qyick does not have data exfiltration capabilities. However, lucrostm has announced that\r\nfuture versions will feature execution of arbitrary executable code, meant primarily for the execution of data\r\nexfiltration capabilities.\r\nAgenda Ransomware\r\nAgenda ransomware, first spotted in August 2022, is written in Go and has been used primarily to target\r\nhealthcare and education organizations in Africa and Asia. The ransomware has some customization options,\r\nwhich include changing the filename extensions of encrypted files and the list of processes and services to\r\nterminate.\r\nAgenda ransomware supports several encryption modes that the ransomware operator can configure through the\r\nencryption setting. The ‘help’ screen displays the different encryption modes available: skip-step , percent ,\r\nand fast .\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 2 of 8\n\nAgenda ‘Help’ screen, showing the available encryption modes\r\nOur analysis of Agenda revealed the following information about each mode.\r\nEncryption mode Description\r\nskip-step [skip: N, step:\r\nY]\r\nEncrypt every Y MB of the file, skipping N MB.\r\nfast [f: N] Encrypt the first N MB of the file.\r\npercent [n: N; p:P]\r\nEncrypt every N MB of the file, skipping P MB, where P equals P% of the total\r\nfile size.\r\nBlackCat (ALPHV), the First Rust Ransomware-As-A-Service\r\nThe BlackCat (or ALPHV) ransomware came to prominence in late 2021 and is the first known ransomware to be\r\nwritten in the Rust programming language. The developers behind BlackCat were first spotted advertising its\r\nservices in early December 2021 on a Russian underground forum.\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 3 of 8\n\nThe original ALPHV/BlackCat forum post\r\nThe ALPHV threat group runs a ransomware-as-a-service (RaaS) program and shares ransom payments with\r\naffiliates. ALPHV uses bulletproof hosting to host their web sites and a Bitcoin mixer to anonymize transactions.\r\nThe ALPHV threat group is an early adopter of extortion schemes such as threatening victims with DDoS attacks,\r\nleaking exfiltrated data online as well as intimidating employees and customers of victim organizations should\r\nthey not pay ransom. Major organizations and businesses have been the target of the BlackCat ransomware\r\nglobally. For example, in September 2022, the BlackCat ransomware targeted Italy’s state-owned energy services\r\nfirm GSE.\r\nALPHV Collections: A searchable database of exfiltrated victims’ data\r\nSentinelLabs researcher Aleksandar Milenkoski has reverse-engineered BlackCat ransomware samples and\r\noutlined the different encryption modes that BlackCat supports, the majority of which implement intermittent\r\nencryption. The table below lists these encryption modes.\r\nEncryption mode Description\r\nFull Encrypt all file content.\r\nHeadOnly [N] Encrypt the first N bytes of the file.\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 4 of 8\n\nDotPattern [N,Y] Encrypt every N bytes of the file with a step of Y bytes.\r\nSmartPattern [N,P]\r\nEncrypt the first N bytes of the file. BlackCat divides the rest of the file into\r\nequal-sized blocks, such that each block is 10% of the rest of the file in size.\r\nBlackCat encrypts P% of the bytes of each block.\r\nAdvancedSmartPattern\r\n[N,P,B]\r\nEncrypt the first N bytes of the file. BlackCat divides the rest of the file into B\r\nequal-sized blocks. BlackCat encrypts P% of the bytes of each block.\r\nAuto\r\nCombinatory file encryption mode. Encrypt the content of the file according to\r\none of the file encryption modes Full , DotPattern [N,Y], and\r\nAdvancedSmartPattern [N,P,B]. BlackCat selects and parametrizes a file\r\nencryption mode based on the filename extension and the size of the file.\r\nAn evaluation study subjecting files of varying sizes (50 MB, 500 MB, 5 GB, and 50 GB) to the BlackCat\r\nransomware revealed that using intermittent encryption can be of significant benefit to threat actors. For example,\r\nin contrast to full encryption, encrypting files using the Auto file encryption mode resulted in noticeably reduced\r\nwallclock processing time starting at 5 GB file size (8.65 seconds) and a maximum reduction in wallclock\r\nprocessing time of 1.95 minutes at 50 GB file size. Wallclock processing time is the total wallclock time (in\r\nseconds) that the ransomware spends on processing a file, which includes reading, encrypting, and writing file\r\ncontent. The full results of this study will be presented at the VirusBulletin Conference 2022.\r\nWe also note that BlackCat includes some internal logic for maximizing encryption speed. The ransomware\r\nencrypts files using the Advanced Encryption Standard (AES) encryption algorithm if the victim’s platform\r\nimplements AES hardware acceleration. If not, the ransomware falls back to the ChaCha20 algorithm that is fully\r\nimplemented in software.\r\nPLAY Ransomware\r\nPLAY ransomware is a new entrant in the ransomware scene and was first spotted at the end of June 2022. The\r\nransomware has recently victimized high profile targets, such as the Court of Córdoba in Argentina in August\r\n2022. PLAY’s ransom note consists of a single word – PLAY –  and a contact email address.\r\nA PLAY ransomware ransom note\r\nIn contrast to Agenda and BlackCat, PLAY ransomware does not feature encryption modes that can be configured\r\nby the operator. PLAY orchestrates intermittent encryption based on the size of the file under encryption,\r\nencrypting chunks (file portions) of 0x100000 bytes. For example, previous research states that under certain\r\nconditions, the PLAY ransomware encrypts:\r\n2 chunks, if the file size is less than or equal to 0x3fffffff bytes;\r\n3 chunks, if the file size is less than or equal to 0x27fffffff bytes;\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 5 of 8\n\n5 chunks, if the file size is greater than 0x280000000 bytes.\r\nIn our analysis, we observed that a sample encrypted every other 0x100000 byte chunk until the end of the file.\r\nThe file consisted only of null characters, which effectively makes the encrypted and non-encrypted chunks\r\nvisually distinguishable.\r\nPartial content of a file encrypted by PLAY\r\nBlack Basta Ransomware\r\nBlack Basta is a RaaS program that emerged in April 2022 with ransomware samples dating back to February\r\n2022. Current intelligence indicates that Black Basta emerged from the crumbled ashes of the Conti operation.\r\nThe ransomware is written in the C++ programming language and supports Windows and Linux operating\r\nsystems. Black Basta operators use the double extortion scheme threatening victim organizations with leaking\r\nexfiltrated data on the threat group’s TOR-based web site Basta News should the victims not pay ransom.\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 6 of 8\n\nBlack Basta is rapidly gaining ground on the ransomware scene and targets major organizations globally – the\r\nransomware operation reported more than 20 victim organizations on Basta News within the first two weeks of its\r\nexistence. Targeting, especially early on, was primarily focused on utilities, technology, financial, and\r\nmanufacturing industries. For example, the major German building materials manufacturer Knauf suffered an\r\nattack conducted by Black Basta affiliates at the end of June 2022.\r\nThe Basta News web site\r\nLike PLAY ransomware, Black Basta does not feature encryption modes that can be configured by the\r\nransomware operator, but orchestrates intermittent encryption based on the size of the file under encryption. Black\r\nBasta encrypts:\r\nall file content, if the file size is less than 704 bytes;\r\nevery 64 bytes, starting from the beginning of the file, skipping 192 bytes, if the file size is less than 4 KB;\r\nevery 64 bytes, starting from the beginning of the file, skipping 128 bytes, if the file size is greater than 4\r\nKB.\r\nOur analysis showed that for a file with a size greater than 4 KB, the Black Basta ransomware encrypted 64 byte\r\nportions with an interval of 128 bytes between each, until the end of the file. In similar fashion to PLAY\r\nransomware, the file consisted only of null characters, making the encrypted and non-encrypted chunks visually\r\ndistinguishable.\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 7 of 8\n\nPartial content of a file encrypted by Black Basta\r\nConclusion\r\nIntermittent encryption is a very useful tool to ransomware operators. This encryption method helps to evade some\r\nransomware detection mechanisms and encrypt victims’ files faster. Given the significant benefits to threat actors\r\nwhile also being practical to implement, we estimate that intermittent encryption will continue to be adopted by\r\nmore ransomware families.\r\nRansomware Samples\r\nFamily SHA1\r\nAgenda 5f99214d68883e91f586e85d8db96deda5ca54af\r\nBlackCat 8917af3878fa49fe4ec930230b881ff0ae8d19c9\r\nPLAY 14177730443c70aefeeda3162b324fdedf9cf9e0\r\nBlack Basta a996ccd0d58125bf299e89f4c03ff37afdab33fc\r\nSource: https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nhttps://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.sentinelone.com/labs/crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection/" ], "report_names": [ "crimeware-trends-ransomware-developers-turn-to-intermittent-encryption-to-evade-detection" ], "threat_actors": [ { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434784, "ts_updated_at": 1775791833, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1412d8a5221a15e39b57dad5dc9255194acdff84.pdf", "text": "https://archive.orkl.eu/1412d8a5221a15e39b57dad5dc9255194acdff84.txt", "img": "https://archive.orkl.eu/1412d8a5221a15e39b57dad5dc9255194acdff84.jpg" } }