It seems like every day a news headline announces another company experiencing a ransomware attack. As ransomware becomes more pervasive, it also becomes more destructive, leading to business interruption that impacts customers and supply chains. By understanding how ransomware manages to evade detection, organizations can move towards the only cure for ransomware: prevention.
Understanding the Evasive Nature of Ransomware
Security professionals often use the phrase, “threat actors continuously evolve their methodologies.” Ransomware is an excellent example of what they mean. Threat actors understand how antivirus works and continuously update their code to prevent detection.
Anti-virus Technologies Lack Sophistication
While most organizations use anti-virus as a way to mitigate risk, many anti-virus solutions either fail to detect ransomware or flag too many code types as ransomware. For example, recent research found that anti-virus fails to handle large executables efficiently. In other words, even a small change to the malicious code meant that anti-virus was unable to detect it.
Additionally, research explained that anti-virus tools have a tendency to scan a limited set of resources that ransomware usually impacts, such as CPU/RAM. However, inconsistencies around naming resources meant that the anti-virus failed to detect the malicious code.
Directories and Activities
When ransomware executes, it needs to create a working directory, storing all the malicious code files. Often, the ransomware creates this working directory within subdirectories which makes it difficult to locate on the device.
Once it gains this foothold, it often finds ways to evade both detection and deletion. This is how the ransomware creates the persistence necessary to deploy the attack.
Reverse Engineering of Machine Learning Detectors
Malicious actors can undermine machine learning-based hardware malware detectors (HMDs) by reverse-engineering them. In doing so, the threat actors teach the ransomware how to hide from detection by adding benign features to the malicious code.
Anti-Evasion Techniques Undermine Research
Organizations and security teams often create testing environments, or “sandboxes,” to study ransomware’s traits and characteristics. The goal is to understand how the malicious code works to defend against future attacks.
However, many threat actors recognize this defensive technique and create “context-aware” ransomware variants. According to recent research, these variants can check the authenticity of the environment. This prevents them from executing in these testing environments, limiting researchers ability to understand them.
Evading Detection to Ensure Persistence
While the old school ransomware attacks only encrypted data, modern ransomware attacks also include stealing data and holding it hostage. To steal the data, malicious actors no longer simply want to execute the encryption, they want to hide in systems.
Most modern ransomware attacks incorporate persistence in systems, lying in wait before encrypting data. The MITRE ATT&CK Framework defines persistence as: techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access. Techniques used for persistence include any access, action, or configuration changes that let them maintain their foothold on systems, such as replacing or hijacking legitimate code or adding startup code.
By evading detection, the ransomware can run in the background of users’ computers for as long as they want. This is why organizations need to make sure that they prevent ransomware from entering their systems rather than hoping to detect and quarantine it.
Malicious Content: Hiding in Plain Sight
More often than not, malicious actors use phishing attacks as a way to execute ransomware. According to an article on CSO Online, 94% of malware is delivered by email and phishing attacks account for more than 80% of reported security incidents.
Often, the emails that threat actors use look like normal business emails. Every phishing simulation or training explains the indicators. However, threat actors have become more wily over the last few years.
While some phishing emails include malicious links, many include malicious content. The threat actors embed malicious code into downloadable assets like images, PDFs, and documents. Masquerading as legitimate senders with fake but realistic-looking accounts, the threat actors use a call to action that includes downloading the file. The act of downloading the file and opening it executes the ransomware.
Votiro Secure File Gateway: Positive, Proactive Protection
With Votiro’s Positive Selection® technology, organizations no longer need to worry that ransomware will evade detection. Our Secure File Gateway proactively sanitizes all inbound content, ensuring that it’s ransomware-free. Our solution mitigates business email compromise risk by scanning all files attached and selecting the safe elements. Then, our technology rebuilds the safe content onto a clean template and forwards it to the recipient.
Votiro’s Secure File Gateway sanitizes billions of files per year while ensuring that employees can use their files as intended, without even noticing that we’re there. We select only the safe elements, rather than guessing at the risky ones, which means our reconstructed files always remain usable for their intended purpose.