Return to blog
Posted on August 16, 2018

The Evolution of Ransomware

The developers of ransomware are stepping up their game, and taking a more sophisticated approach on how they avoid detection, infect systems, and outsmart decryption efforts. While the tools to detect and decrypt are improving, unfortunately so is the ransomware, seemingly always one step ahead of every effort made to stop it. It’s getting much more difficult to detect, and harder to recover the encrypted files.

Ransomware has long had a degree of predictability, which has been an advantage for security operations, who’ve been able to devise tools that limited the amount of damage done. But we’ve recently arrived at a point of evolution for ransomware. Creators are finding ways to make them less linear, which is bad news.

Simply, the only job ransomware has is to overwrite, or lock up, the file system. When that process is linear, it’s easy to detect. Imagine all the files in your computer are like a grocery list: ransomware starts at the top and just works its way down, picking them off, one by one, encrypting them. Predictably. Once it begins, it’s a no-brainer where it’s heading. Now, hackers are getting smarter, and changing the game. They’re removing that predictable element of ransomware, which not only helps avoid initial detection, it also hampers the ability to stop it once it is detected. Here are just a few ways hackers are stepping up their game:

Slowing down the encryption process

“Flying under the radar” is a good analogy for this method of evolution. One of the tell-tale signs of infection is a huge amount of files being accessed at once, and a good antivirus program watches for exactly this. So, in order to avoid triggering this red flag right away, hackers have begun slowing the process down, spreading out the encryption process. Systems don’t necessarily see the program as fitting into the parameters of ransomware, and thus, it doesn’t raise the alarm. Additionally, this glacial pace of encryption makes for a greater risk that back-up files will also be corrupted.

Randomization of the encryption process

Creators of ransomware are beginning to randomize the encryption process, breaking away from the typical, predictable linear approach. Changing the rules of the game has helped ransomware avoid detection by tools that have been designed around the linear pattern of encryption.

Delivery of ransomware in the form of files

Email has long been a potent method of ransomware delivery, but now it’s specifically coming through via attached files. The malicious email link is still most commonly deployed, but as companies and organizations do a better job educating people not to click on suspicious links, some ransomware creators are changing tactics. Documents attached as a PDF, Microsoft Word, or other common file type are being used instead of a suspect link. The attached document will contain script that launches the ransomware.

What used to be assumed safe attachments — PDF files, JPEGs, etc. — could now be ticking time bombs, waiting for you to pull the pin. People have started to wise up to the old suspicious link trick, but when they get an email containing an “invoice” or “photo,” it’s still less intuitive to avoid.

Click here to learn how to tell if an email is a scam.

Encryption of the hard drive code

A quick and purely evil move, some hackers are simply bypassing the files, and going straight for the hard drive code. By singling out the guts of the hard drive, they attack the master boot record, which is the very beginning of the drive. If the hackers can isolate that and corrupt it, they can use it to hold the rest of your drive for ransom, without even encrypting any of your other files. It’s the Mike Tyson of ransomware. One and done.

Polymorphic code

Polymorphic code is another way ransomware is evolving. This sneaky convolution creates plenty of complications to detecting ransomware. As the file is spread from computer to computer, the ransomware will change its code slightly before spreading again. So what is identified as ransomware on one device, will possibly go undetected on the next due to this minor alteration.

And the rate of polymorphic change is another huge factor challenging detection efforts. It can evolve as quickly as every 15 – 20 seconds. Once the signature of the ransomware has been figured out, it’s easier to stop, but with this new shape-shifting attack, it’s very hard to detect.

Multi-threaded attacks

Multi-threaded attacks are becoming a thing. Ransomware that uses a single process to encrypt files is pretty effective, as many victims can attest. Now, imagine that process on steroids. In a multi-thread attack, the main code of the ransomware launches sub-processes, which accelerate the encryption and increase the difficulty in stopping the attack. While one or two threads can be stopped, the others will continue to wreak havoc and cause damage. A multi-thread attack can quickly overwhelm the processor and memory, and everything basically goes south from there.

Stepping up their code-writing skills

Believe it or not, a lot of the success for detecting — and stopping — ransomware actually comes back to simple mistakes made by the ransomware creators. They make these blunders in the implementation of the encryption process, failure of proper key management, or by using a predictable number generator for a key. These types of mistakes create the opportunities to develop decryption keys.

While the people writing ransomware are not encryption experts, they’re stepping up their efforts. One example is the Crysis ransomware. In previous versions there were errors with the encryption, allowing decrypters to be developed. It has since been fixed, and as yet there are no ways to decrypt it.

Older and slower makes for a better target. Just like in nature, the predator is looking for the easy meal. An older operating system with outdated antivirus makes for a much easier target than a system running Windows 10 or Apple MacOS. The latest versions are a harder nut to crack, but luckily for ransomware attackers, there are still millions operating on poorly patched and updated systems, running on older operating systems. These are prime targets, and attacks on the older systems are like picking low hanging fruit — it’s easier to penetrate a system that has known vulnerabilities rather than take on something newer and stronger.

The Easter egg

This is the intentional delaying of launch for a ransomware attack. The seed is planted, it burrows into the system and basically goes to sleep, and lies there dormant for a period of time before activating. This allows the spread of the ransomware while it remains dormant, potentially infecting numerous devices before the malware activates and begins its path of destruction.

Adapting to the ever-evolving world of ransomware threats is the name of the game. None of the adaptations discussed here make ransomware completely invisible, or invinceable. Every time a new adaptation is discovered, new detectors have to be developed. Analyze it, understand it, change the way you detect. It is just a big game of cat and mouse, cops and robbers, A newer version of the same old game. Keeping up on developments is the key, as is knowing what it is that you’re up against.

Download TrackOFF and keep yourself protected from hackers and trackers.

On mobile? Try our new Privacy Browser for Android and iOS — free!

Download TrackOFF for Windows    Download TrackOFF for Mac