While many cybercriminals execute data breaches and attacks in a matter of hours or less, others prefer a long-haul approach to harvesting sensitive and protected information over time. The recent surge in social engineering and advanced persistent threats (APTs), ransomware, and other sophisticated cybercrime indicates that unknown viruses and ransomware are definitely means to an end — either for financial gain or disruption of services of targeted organizations.
In 2024, 59 percent of all businesses and organizations were hit by ransomware attackers. Of those businesses, 56 percent paid the ransom, but not everyone got their data back, according to a recent Sophos report. The latest security threats are characterized by their ability to remain undetected on a company's network for long periods. In some cases, criminals have gone unnoticed for years. IBM's 2024 Report highlighted that it takes 194 days on average for a security breach or incident to be detected and another 64 days to contain.
How Does Ransomware Work?
To solve the ransomware problem, we must first understand how it works. Ransomware can be explained in four stages: Intrusion, Payload Delivered, Ransom Demand, and Recovery (Payment). Stages 1 and 2 are where the APT is initiated and executed.
For years, Stage 1 has been unsuccessful at keeping out the bad guys from an intrusion perspective. Highlighted as one of three core principals in the NIST 800-207 Zero Trust Architecture, organizations should always assume that there is a malicious presence inside their environment. Given this assumption, when a malicious actor is present on a network, they can really only do one of two things.
- They can snoop around and try to exfiltrate data, or
- They can add, modify, or delete system files, directories, configurations, policies, users, etc.
Spoiler alert — ransomware is simply a software package or payload that must first be “added” to an infrastructure and then “executed.” It’s the execution of the payload that encrypts critical files to the point that they are unreadable and/or impacts the operational stability of the target systems.
How Are Ransomware and Malware Different?
Ransomware is a form of malware. Other types of malware consist of Trojans, Spyware, Adware, Rootkits, Worms, and keyloggers. Each type of malware has a nefarious purpose: to gain access to privileged information, disrupt IT operations, or simply deny access by encrypting files and demanding a ransom in exchange for the encryption key to restore access. But be warned — don’t be a part of that 32 percent that pay the ransom and don’t get a key, or the key doesn’t restore everything back to the original state.
Cybersecurity experts need to be prepared for continued efforts by bad actors who want to reap financial gains by using ransomware as their malware of choice.
Where Malware and Ransomware May Hide
1. Critical System Files
One of the most dangerous and innocuous spots highly sophisticated malware can hide is your critical system files. Traditionally, many malware files used to replace or modify existing critical system files were distinguished by a foreign signature or metadata visible in the attribute certifiable field (ACT) of signed files.
While file stenography practices used by highly sophisticated cybercriminals can bypass most traditional detection methods, some traces remain. With technology that can detect changes in file size or contents in addition to signature changes, it's possible to detect these negative changes.
2. Windows Registry
Some malware will modify Windows Registry keys to establish a position among "autoruns" or ensure the malware launches each time an OS is launched. It is common for bad actors to use registry keys to store and hide next-step code for malware after it has been dropped in a system.
One of the difficulties in manually auditing your Windows registry keys to detect abnormalities can be a massive undertaking. It would theoretically require comparing log files to the tens of thousands of autorun settings. While there are some possible shortcuts, efficiently determining modifications to your registry keys is typically best achieved with an effective file integrity monitoring solution.
3. Temporary Folders
Operating systems contain a host of temporary folders, ranging from internet caches to application data. These files are an inherent part of the OS, allowing the system to process and compress information to support the user experience. By nature, these temporary folders are typically defaulted and writeable for all users to enable internet browsing, the creation of Excel spreadsheets, and other everyday activities.
Due to their inherently loose security, temporary folders are a common landing place for malware and ransomware when criminals enter your system via phishing, a rootkit exploit, or another method. Ransomware and malware may use temporary folders as launchpads to immediately execute or establish multiple other strongholds within a company's network through permission elevation and other modes.
4. .Ink Files
Also known as "shortcuts," these may contain a direct path to a malware—or ransomware-laden website or, more dangerously, an executable file. Chances are, your employees have quite a few of these pathways on their desktops to ease access to commonly visited web applications and other tools.
Both malware and ransomware can gain hold within a system after downloading with cleverly disguised .lnk files that may resemble an existing shortcut or even an innocuous PDF document. Unfortunately, the average end-user cannot tell the difference since the .lnk aspect of the file isn't visibly displayed.
5. Word Files
Even relatively low-grade spam filters are wise enough to recognize .exe files as potentially malicious. However, cybercriminals have wised up to this practice and often take advantage of Microsoft Office VBAs to insert ransomware code within Word document macros, according to KnowBe4. This particular flavor of "locky ransomware" immediately enters temporary files and executes a lock on data and ransomware demands.
6. Image Files
Malware can hide in plain sight in the form of an image file. Threat actors commonly embed malicious executable code into an image as an overlay. While it's similar to the concept of adware, bad actors can also infiltrate a website and inject overlays into images other than ads. In this case, it's also common to unknowingly download an image infected with malware through search engines.
Protecting Your Organization Against the Sneakiest Malware and Ransomware
Over the past two decades, organizations have protected themselves by utilizing endpoint security/protection or anti-virus technologies that use denylisting capabilities. This approach has proven reactive and ineffective as it cannot identify or prevent 550k of the 1 million variations of malware released daily.
So what’s the alternative? The alternative is to address the problem—not the symptom. The symptom has always been the primary focus: business disruption through security attacks or breaches and implementing an Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and a Business Continuity Plan (BCP) to revert to a state of operation before the infection. While this has its benefits, these traditional solutions use a backup and reprovisioning process that can take hours and days to achieve, and even then, data and transactions can and will be lost.
Addressing the Problem
Assuming there is virtually no way to prevent 100% of Stage 1 intrusions, the solution lies in Stage 2.
Today's security landscape demands smarter, more efficient solutions to monitor all aspects of your files beyond signatures and surface appearances. With the help of CimTrak, security personnel gain the ability to understand malicious changes to Windows Registry keys, critical system file contents, and other key hiding places the moment they occur. Not only can you achieve total oversight and control, but you can also fully remediate changes from the administrative console. This can be done manually or automatically to the last known and trusted baseline of operation—CimTrak’s detection and response measures in seconds.
To learn more about CimTrak's advanced protection against all forms of malware and ransomware, download our report, Defending Against Ransomware with System Integrity Assurance, today.
