Encrypted malware is a type of malicious software that uses encryption to evade detection by security solutions. Malware authors employ encryption to conceal malicious code, prevent analysis, and thwart detection by antivirus software and other cybersecurity defenses.
What is malware?
Malware, short for “malicious software,” refers to programs designed to infect, damage, or gain unauthorized access to computer systems. Malware comes in many forms, including viruses, worms, trojans, ransomware, spyware, adware, and more. Malicious actors create and distribute malware to steal data, extort money, or cause disruption.
What is encryption?
Encryption is the process of encoding data or information in such a way that only authorized parties can access it. Encryption converts plaintext data into ciphertext that appears scrambled and unreadable to unauthorized viewers. Decryption reverses the encryption process to convert the scrambled ciphertext back into readable plaintext. Legitimate reasons to encrypt data include protecting confidentiality and securing sensitive information.
How does encrypted malware work?
Encrypted malware uses cryptographic techniques to conceal its malicious code and prevent analysis or detection. Some ways encrypted malware leverages encryption include:
Encrypting malicious payloads
One of the most common uses of encryption by malware authors is to encrypt the core malicious payload. The payload might contain viruses, worms, trojans, ransomware, or other harmful code. By encrypting this payload, the malware can evade antivirus software or other defenses that rely on inspecting code.
Encrypting communications
Many modern malware variants communicate with command and control servers operated by attackers. Encrypting this communication makes it harder for security solutions to detect suspicious traffic or block malicious commands.
Encrypting malicious scripts
Some malware distributes malicious scripts that get downloaded onto infected computers. Encryption prevents inspection of these scripts, hiding their malicious intent.
Encrypting files and data
Ransomware and other malware may encrypt files or data on compromised systems. Without access to decryption keys, victims cannot recover their files and data.
What are the advantages of encrypted malware?
From the attacker’s perspective, encrypting malware offers several advantages:
Avoids detection
Encryption allows malware to evade antivirus and other signature-based defenses that rely on inspecting code. By encrypting payloads, malware can conceal itself.
Defeats analysis
Encrypted code cannot be analyzed or reverse engineered. This slows down security researchers trying to understand how the malware works.
Enables command and control
Encrypted C2 communications allow malware to resist blocking and takeover attempts. The malware can only be controlled with the decryption keys.
Prevents fingerprinting
Each malware sample has a fingerprint or signature that can be used to identify it. Encryption makes fingerprinting malware more difficult.
Facilitates extortion
In the case of ransomware, encryption without the victim having the decryption keys enables extortion of money. Victims must pay the ransom to regain access.
Common types of encrypted malware
Cybercriminals today employ encryption in many types of malware, including:
Encrypted ransomware
Ransomware such as WannaCry and NotPetya use encryption to hold files and systems hostage until ransom demands are paid. Victims cannot access their data.
Encrypted worms
Worms like Conficker spread encrypted copies of themselves across networks. Encryption prevents security tools from finding and stopping these worms.
Encrypted trojans
Trojans such as njRAT and ZeusVM use encryption to hide malicious payloads and evade detection as they infect systems.
Encrypted spyware
Spyware masquerades as legitimate software but gathers data without permission. Encryption helps spyware conceal data exfiltration and surveillance behavior.
Encrypted viruses
Viruses infect files while remaining undetected. Encryption obscures viruses from antivirus software.
Key challenges of encrypted malware
Encrypted malware poses several unique challenges for cybersecurity:
Evading detection
Traditional signature-based defenses struggle to detect encrypted malware they cannot properly inspect. New methods are needed.
Blocking communications
The encrypted C2 communications used by malware can be difficult to identify as malicious and stop.
Preventing infections
With encrypted viruses and worms, blocking initial infections is key, since encryption prevents analysis after infection.
Recovering encrypted files
Restoring access to encrypted files, especially with ransomware, is challenging without paying ransom demands.
Shutting down botnets
Botnets using encrypted C2 channels are resilient to traditional botnet takedown approaches.
Detection methods for encrypted malware
Security researchers have developed several promising techniques specifically designed to detect encrypted malware:
Behavior-based detection
Looks at a program’s behavior and actions, such as network activity, system calls, and changes, rather than solely its code. Encryption cannot hide behavioral anomalies.
Analytics and machine learning
Advanced analytics and machine learning algorithms identify patterns, such as communication fingerprints, closely associated with malware.
Deception technology
Uses decoys and lures to trick malware into revealing itself. When malware interacts with a decoy, its presence is confirmed.
Memory forensics
Looks at active malware behavior and code in a computer’s RAM to overcome encryption hiding the code on disk.
Hardware enhancers
Special hardware capabilities offload and accelerate encryption, allowing practical analysis of encrypted malware samples.
Combining multiple techniques
Often the most effective approach against advanced malware combines behavioral, analytical, technical, and human-centered cyber defenses.
Examples of encrypted malware
Several infamous pieces of encrypted malware demonstrate the evolution and sophistication of threats using encryption:
Storm Worm botnet
Emerging in 2007, this encrypted botnet lasted for years and distributed massive amounts of spam. Its encrypted C2 communications helped it avoid takedown.
Reveton ransomware
Active around 2012, Reveton pioneered the “ransomware-as-a-service” model still used today. It used encryption to extort money from victims.
Gameover ZeuS banking trojan
Discovered in 2011, this trojan stole banking credentials and financially ruined many victims. Encryption hid its network traffic and payloads.
Locky ransomware
First seen in 2016, Locky ransomware utilized strong encryption coupled with phishing campaigns to extort large ransom payments.
WannaCry ransomware
This 2017 worm ransomware attack disrupted global organizations by rapidly spreading infection using potent NSA exploitation tools. Its code and communications were encrypted.
Best practices for combating encrypted malware
Enterprises and individuals can take several steps to improve defenses against encrypted malware:
Implement behavior-based detection
Stop threats based on suspicious behaviors instead of just scanning code. Monitor for unusual network traffic, unauthorized changes, and shady process activities.
Use analytics and machine learning
Unlock the power of advanced analytics and AI to identify sophisticated encrypted malware. Train systems on known threat behaviors.
Leverage deception technology
Deploy decoys and breadcrumbs to detect malware when it interacts with fakes. This quickly confirms malware is present.
Perform rapid memory forensics
Examine RAM for signs of active malware before encryption hides evidence written to disk. Capture volatile system memory for inspection.
Combine solutions into layers
Blend signature-based, behavior-based, analytical, deception, and memory forensic defenses into a comprehensive detection web.
Keep systems patched and updated
Prevent initial infections by patching vulnerabilities and keeping software updated. Don’t let malware get a foothold.
Develop incident response plans
Have an action plan ready for when malware evades preventative defenses. Include steps like isolating infected systems, eradicating malware, restoring data, and applying lessons learned.
The future of encrypted malware
Looking ahead, several trends suggest encrypted malware threats will continue evolving:
Ransomware innovation
Expect ransomware tactics and technology to grow more sophisticated, utilizing unbreakable encryption, cryptocurrency, and anonymous payment systems.
Increase in evasive malware
Evasion, including encryption, will become standard in malware as authors battle improved detection capabilities powered by AI and machine learning.
Growth of cryptojacking
Malware secretly using victim computers to mine cryptocurrency for profit presents challenges when encryption hides mining payloads and activities.
New attack vectors
Innovative attack strategies like encrypted wireless or edge computing threats may circumvent traditional defensive measures.
Shorter attack lifecycles
Agile development and automation will enable hackers to produce new encrypted malware variants faster than ever.
Conclusion
Encrypted malware represents the next frontier in the ongoing cybersecurity arms race between attackers and defenders. As malware authors increasingly leverage encryption to hide malicious payloads, establish resilient command and control channels, disable defenses, move laterally, and extort victims, organizations must prioritize developing innovative capabilities for detecting and responding to this serious threat. By combining multiple detection approaches, maximizing threat intelligence sharing, automating rapid response, and adapting defenses powered by advanced analytics and machine learning, the cybersecurity community can rise to meet the challenge of encrypted malware. But effort and continued innovation will be required to keep pace with determined, creative adversaries constantly probing defenses. Encrypted malware will likely remain a chief cyber-danger for the foreseeable future.
| Type | Description |
|---|---|
| Encrypted ransomware | Uses encryption to extort ransom payments by preventing access to files and data |
| Encrypted trojans | Malicious programs concealed inside benign-looking files, using encryption to hide payloads |
| Encrypted worms | Self-replicating malware spreading encrypted copies across networks to maximize infection |