I’ve mentioned the evasion tactics that ransomware uses more than once in previous blog posts. This collection of technical methods ensures that crypto-ransomware infections can stay below the radar and:
- Not get picked up by antivirus products
- Not get discovered by cyber security researchers
- Not get observed by law enforcement agencies and their own malware researchers.
The rationale is simple: the longer a malware infection can persist on a compromised PC, the more data it can extract and the more damage it can do.
So here are just a few of the tactics that ransomware employs to remain covert and maintain the anonymity of its makers and distributors:
Communication with Command & Control servers is encrypted and difficult to detect in network traffic;
It features built-in traffic anonymizers, like TOR and Bitcoin, to avoid tracking by law enforcement agencies and to receive ransom payments;
It uses anti-sandboxing mechanisms so that antivirus won’t pick it up;
It employs domain shadowing to conceal exploits and hide the communication between the downloader (payload) and the servers controlled by cyber criminals (where the ransomware is stored);
It features Fast Flux, another technique used to keep the source of the infection anonymous;
It deploys encrypted payloads which can make it more difficult for antivirus to see that they include malware, so the infection has more time to unfold;
It has polymorphic behavior that endows the ransomware with the ability to mutate enough to create a new variant, but not so much as to alter the malware’s function;
It has the ability to remain dormant – the ransomware can remain inactive on the system until the computer it at its most vulnerable moment and take advantage of that to strike fast and effectively.