In a recent incident in Dallas, the City’s security software detected a ransomware attack that affected multiple departments, including 911 dispatchers and the police force. Sensitive data, including personal information of city employees, was stolen and the Royal ransomware group claimed responsibility. This incident, along with past attacks, highlights the growing trend of partial encryption in ransomware attacks.

Partial encryption is a strategy where attackers encrypt only a portion of the victim’s files, either at random or selectively targeting important data. This approach has several advantages for the attackers. First, it is faster and requires fewer resources compared to encrypting the entire system. By encrypting files quickly and discreetly, attackers can complete the encryption before the victims even notice the intrusion. Second, the complexity of restoring data from backups increases when only some files are encrypted. This makes it more likely for victims to pay the ransom instead of attempting to restore their data. Lastly, partial encryption is less detectable automated scanners and compromised systems behave less erratically compared to completely encrypted systems, resulting in fewer alerts.

The Royal ransomware group, in particular, is known for using a multithreaded model where multiple CPU cores are used to encrypt files simultaneously. This makes the attack more difficult to stop as even if some processes are halted, others will continue encrypting files.

Furthermore, attackers have adopted a “triple extortion” strategy, where they not only hold the encrypted data for ransom but also threaten to sell or release it if the organization does not comply. This strategy adds an additional layer of pressure on victims as they face the risk of data leakage even if they can restore their files from backups.

As ransomware attacks become more sophisticated, organizations need to focus on preventing such attacks rather than relying on paying the ransom. It is crucial to understand the evolving landscape of ransomware attackers, who are no longer the stereotypical criminals in basements but rather large-scale enterprises with talented developers. These attackers often find safe havens in countries like Russia, Asia, and Eastern Europe.

To protect against ransomware attacks, businesses should invest in robust cybersecurity measures, such as regular backups, employee training on email phishing and other attack vectors, and keeping all software and systems up-to-date. By staying vigilant and implementing effective security practices, organizations can minimize the risk of falling victim to partial encryption and other ransomware attacks.

