Ransomware is a type of malicious software that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files. Ransomware operators are constantly looking for ways to avoid detection by security analysts so they can successfully infect systems and collect ransom payments.
Packing/Obfuscation
One of the most common techniques ransomware uses to avoid analysis is packing or obfuscating the malware code. Packing is a method of compressing executable files in a way that the code cannot be easily understood or reverse engineered. The packed file must first be unpacked before it can run and infect a system. Packing makes the malware appear encrypted or scrambled to security tools trying to analyze it.
Popular packers used by ransomware include UPX, MPRESS, and Themida. These compress and encrypt the malware code to hide the true functions of the program. Packed malware may also utilize anti-debugging and anti-analysis tricks to detect security emulators and sandboxes. This prevents automated analysis tools from unpacking and understanding the code.
In addition to packing, ransomware frequently uses code obfuscation techniques. This makes the code hard to read and follow, obscuring the malware’s true purpose. Common obfuscation methods include obscuring API calls, string encryption, unnecessary jumps and loops, dead code insertion, and more. Like packing, obfuscation is meant to slow down human analysts or defeat automated de-obfuscation tools.
Example ransomware using packing/obfuscation
- Cerber – Uses a polymorphic packer to change its signature and avoid detection
- Locky – Employs obfuscation and anti-analysis tricks to prevent reverse-engineering
- CryptoWall – Utilizes cryptors and packed executables to hide its code
Targeting Specific Countries/Regions
Some ransomware campaigns purposefully target organizations and users in specific geographic regions. By selectively attacking networks in certain countries, the ransomware is able to avoid detection defenders in other areas.
For example, ransomware like WannaCry initially targeted systems in Europe and Asia. Because antivirus definitions were not yet updated for this new threat, the malware was able to spread rapidly in these areas. Attackers can monitor which security firms are detecting their malware and shift deployment accordingly.
Language targeting is another regional technique. Ransomware often only includes ransom notes in certain languages like Russian or Chinese. By limiting locales, malware authors avoid drawing attention from international security firms.
Example country-specific ransomware
- WannaCry – Initially targeted networks in Europe before spreading worldwide
- Sodinokibi – Mainly targeted organizations in Asia, Europe, and the Middle East
- JSWorm – Primarily targeted systems with Chinese language settings
Morphing/Retooling Code
Sophisticated ransomware operations continuously modify and retool their code base to create new variants. By re-coding their malware, ransomware developers can generate thousands of sample hashes that avoid existing blacklists.
Polymorphic techniques allow ransomware payloads to be mutated while keeping the core algorithm intact. This morphing creates new executable files that security tools may not detect as malicious. Ransomware can also periodically recompile itself with different encryption keys or file extensions.
These frequent code changes allow ransomware campaigns to continue evading signature-based defenses. Even if certain samples are detected, new mutated versions can sidestep rules from updating.
Example polymorphic ransomware
- GandCrab – Utilized polymorphism to create new variants rapidly
- Cerber – Employed a polymorphic packer to alter its signature
- Locky – Followed an aggressive upload and retooling cycle to avoid detection
Exploiting Software Vulnerabilities
Instead of relying entirely on social engineering, some ransomware takes advantage of software security bugs to silently compromise systems. By exploiting vulnerabilities in popular applications, web plugins, and operating systems, ransomware can infect machines without any user interaction.
WannaCry and NotPetya leveraged the EternalBlue SMBv1 vulnerability to spread through networks. Attackers did not need to attach malware to emails or host malicious downloads.
Recently, ransomware has exploited vulnerabilities in VPNs, Office macros, and HTTP file transfer APIs. Bugs like Log4Shell have also granted access for ransomware strains like Khonsari. Zero-day bugs can help ransomware evade antivirus detection since vendors haven’t updated signature yet.
Example exploits used by ransomware
- EternalBlue – Exploited by WannaCry, NotPetya, and other strains
- VBScript bugs – Used to spread ransomware through Office docs
- Zimbra and Oracle WebLogic flaws – Recently targeted by ransomware campaigns
Using Legitimate System Tools and Protocols
Instead of using traditional malware files, some ransomware abuses trusted system programs and communication protocols to infect devices. For example, malicious PowerShell scripts can be embedded in emails to download and run payload from remote servers.
PowerShell is a legitimate tool, so scripts are allowed to pass through defenses. Other examples include using PsExec and Windows Management Instrumentation (WMI) to spread ransomware laterally across a network.
Some ransomware uses HTTPS and other encrypted channels to fetch components or exfiltrate data. Because this mimics normal web traffic, communications can bypass network monitoring and filters looking for anomalies.
Examples of ransomware leveraging trusted tools/protocols
- PowerShell – Used to download and run malicious code
- PsExec – Allows lateral movement on networked systems
- SMB – Propagation method for WannaCry and other strains
- HTTPS – Encrypted connections to C2 servers
Slow Encryption/Small Key Files
Rather than rapidly encrypting files, some ransomware variants take a slower and stealthier approach. For example, only encrypting 1 out of every 10 or 100 files. Or slowly encrypting over the course of days or weeks.
This makes the infection more difficult to notice at first. The ransomware can continue communicating with command servers and spreading during this time.
Similarly, some ransomware writes relatively small encryption keys files to disk compared to the size of files being encrypted. This makes detection based on mass file changes more challenging.
Examples of ransomware with slow encryption
- MegaCortex – Waits days or weeks before activating encryption payload
- Ryuk – Specifically targets high-value assets and slowly encrypts
- Scarab – Encrypts approximately 1 in 5 Office files on system
Lateral Movement Techniques
Instead of relying on a single infected host for ransom payments, sophisticated ransomware leverages lateral movement to spread across networks. This allows the malware to infect a larger number of systems and cause more damage.
Techniques like credential stealing, Pass-the-Hash, and Pass-the-Ticket attacks allow ransomware to pivot between machines the same way human attackers would. Other methods like SMB and RDP brute forcing are automated to break into other networked devices.
This network-based propagation prevents ransomware from being contained to patient zero. Security teams must block lateral avenues to stop infection spread.
Examples of ransomware using lateral movement
- RobbinHood – Steals domain admin credentials to spread across networks
- REvil – Automated brute forcing of RDP and SMB to move laterally
- WannaCry – Scans internal networks for open SMB shares to infect
Ransomware-as-a-Service (RaaS)
Many ransomware operators offer their malware through a Ransomware-as-a-Service (RaaS) model. This allows “affiliates” to distribute the ransomware payload in return for a percentage of profits.
By crowdsourcing deployments, RaaS developers gain more attack vectors without additional work. For defenders, this means facing diverse senders delivering the same core ransomware.
Popular RaaS families like REvil let affiliates customize the ransom demands, languages, target countries, and more. This polymorphic behavior creates numerous new variants.
Major ransomware offered via RaaS
- REvil – RaaS model pays affiliates up to 70 or 80% of ransom profits
- Ryuk – Leased to skilled groups to target enterprise networks
- Sodinokibi – Affiliate program tailored to different access levels
Cleaner Malware Droppers
To get past defenses, some ransomware uses clean “droppers” before deploying payloads. These initial files have benign signatures to bypass antivirus inspection. Only after reaching systems do droppers unpack the true malicious cargo.
By splitting components, malware authors separate suspicious payload code from innocent looking droppers. Droppers may also release payload in pieces or off a remote server to avoid detection.
Warning signs of droppers can include new executables running unexpected programs like PowerShell or introducing unrecognized .DLL files.
Ransomware families using droppers
- Cerber – Main payload delivered by clean installers and document droppers
- Locky – Used droppers disguised as invoice attachments
- Ryuk – Initial Trickbot infection later deploys Ryuk payload
Disabling Security Tools
Defeating anti-malware products is a major focus for ransomware developers. Malware needs admin privileges to disable security services that could disrupt encryption activities.
Tactics include terminating security processes, adding exclusions to block scanning, and disabling real-time protection. Ransomware targeting Windows often disables services like the Security Accounts Manager (SAM), Volume Shadow Copy, and Windows Defender.
Without these protections, ransomware can operate freely without detection. Even if scanning detects the encryption, recovery options are limited with backup tools disabled.
Examples of ransomware that disables security
- Ryuk – Stops over 100 services including antivirus and backup processes
- Sodinokibi – Adds file type exclusions to Windows Defender to avoid detection
- MegaCortex – Disables domain controllers to amplify damage
Targeting Backup and Recovery Systems
Modern ransomware does not just target user endpoints and files. Enterprise strains go after networked backup solutions and storage in order to maximize impact.
By deleting Volume Shadow Copies, NAS device snapshots, and cloud-based backups, ransomware eliminates recovery options. Victims have no choice but to either pay the ransom or permanently lose data.
Sophisticated ransomware can identify and scrape credentials or passwords related to cloud services and remote storage. After encrypting primary data, backups are deleted to force victims to meet demands.
Examples of ransomware wiping backup systems
- RobbinHood – Seeks out and deletes Veeam backup repositories
- Sodinokibi – Identifies cloud storage apps to delete remote backups
- Ryuk – Specifically targets network shares and storage systems
Exploiting RDP for Access
Unpatched Remote Desktop Protocol (RDP) connections give ransomware an inviting door into enterprise targets. Brute force attacks against Internet-facing RDP servers allows malware to gain initial entry.
From there, ransomeware can harvest credentials, elevate privileges, and move laterally across networks. Flawed RDP implementations can lead to complete compromise of Active Directory and core systems.
In addition to brute forcing, ransomware takes advantage of RDP tools like NLBrute and XRDP to find open systems. Even if RDP is locked down, vulnerabilities like BlueKeep can be exploited.
Ransomware known for RDP attacks
- REvil – Automated RDP brute forcing to compromise networks
- RobinHood – Originally entered systems via RDP vulnerabilities
- CrySis – Exploited RDP and BlueKeep to spread encryption
Using Social Engineering Tricks
Despite growing technical sophistication, most successful ransomware campaigns rely on tried-and-true social engineering tactics. Malicious emails, fake software installers, doctored documents, and Trojan downloads take advantage of naive users.
Preying on human curiosity and fear of missing out remains an effective method for delivering payloads. Even with defensive layers, social tricks provide a frontdoor for infections.
Some ransomware adds urgency by posing as customer complaints, unpaid invoices, or system alerts. Others offer free software or media content to entice downloads.
Examples of ransomware using social engineering
- Scareware fakes antivirus warnings to get victims to download payload
- Phishing emails pretend to be customer complaints or past-due bills
- Free software and media offers trick users into running malicious installers
Conclusion
Ransomware developers utilize an array of techniques to infect systems while avoiding detection. Packing, code morphing, social engineering, vulnerability exploitation, and disabling defenses all help ransomware evade protections.
By understanding how malware analysts deconstruct threats, ransomware authors deliberately undermine these efforts. Unfortunately, this allows ransomware groups to remain several steps ahead of defenders.
Without access to ransomware source code or samples, organizations must focus on least-privilege access, backups, patching, and user education. Breaking the infrastructure that ransomware relies on remains the most effective countermeasure.