The development of code and mechanism of ransomware continues to progress and now takes more to control than before, explains Raymond Pompon at F5 Labs.
In 2019, we talked about how to defend yourself against ransomware, but attackers have since strengthened their capabilities. We are now seeing thousands of variants.
Finding shortcuts and removing unnecessary steps can save time when seconds count. And it takes a lot of time to encrypt a multi-gigabyte file using a 4096-bit key with AES-256 encryption. One trick is to skip encrypting large files, hoping the victim does not notice. Another is to encrypt only part of the file, which is often enough to cause an application-halting error when accessed.
Additional scenarios include the infection checking the physical location where it is running. If the infector sees it is not in a targeted country, it may delete itself and move on. Some ransomware variants will self-destruct if they think they are within any of the nine Russian Commonwealth of Independent States.
Ransomware can also spread from highly connected internal network nodes, such as Windows domain controllers. Since these kinds of servers interact with most internal systems, they are excellent launching points to spread infections quickly.
Furthermore, ransomware often appears to strike so quickly because it can remain dormant for quite some time, creeping around and looking for the best place to strike. Attackers use this time to corrupt backup restore points and empty recycle bins to foil recovery efforts. Then, on a set date, the ransomware leaps into action and begins encrypting everything at once.
Staying dormant upon load is a trick to bypass antivirus filters, which expect malware to begin executing immediately. Most modern ransomware will turn off antivirus software if it can. If not, it will obfuscate or encrypt itself and only unpack into memory to evade disk scanning tools.
It is worth noting that ransomware can slow down system performance noticeably while it is encrypting, and new variants can hide this by displaying fake error messages. In addition, many variants try to use the built-in Windows tools and features to do their scanning and targeting, known as living off the land. Attacks then reduce the number of detectable malware components running on the network.
Near the end of 2019, the Maze ransomware added a new feature: data leakage extortion. Not only can this malware encrypt all your data, it can exfiltrate the confidential data to its servers This has quickly caught on with ransomware authors.
A common response to early ransomware was to perform forensics on its binary, which sometimes provided the encryption key, so you did not have to pay to unlock your data. Sometimes it was to inform threat intelligence on ransomware and create new defenses.
Ransomware countered with self-destructing malware. If the service running the programme stops, it crashes the machine so memory cannot be read. Ransomware will not run if it detects itself inside a virtual environment or a debugger, and the code can mislead analysis tools. Some variants will not activate without the remote attacker sending an unlock code, making it difficult for defenders to capture and analyse the programme.
Remember, no matter how sophisticated the ransomware code is, the infection still needs to get into your systems.