Why Ransomware Now Hides in your Systems for Months

These leaders are acutely aware that robust cybersecurity defence is imperative, but they’re battling to keep up with new ransomware strains and evolving attack techniques.  

And one of these techniques in particular is cause for considerable worry and set to define the attack landscape in the year ahead. Ransomware that sits hidden within networks, undetected by typical perimeter security software for days, weeks and now, months. Some of the most common hiding places are: 

• Critical system files, which can now be encrypted without signature traces 
• Windows registry, if using Microsoft  
• Temporary folders and files, which are notoriously low security  
• Shortcut .Ink files, often generated by end users 
• Word and Excel files (Encrypted Microsoft files increased significantly in 2020) 

Threat actors lay dormant – referred to as dwell time – and strategically plan an attack launch date to cause maximum damage. Although this practice isn’t new, our experts are finding that the extensive dwell times being charted recently are moving from days (which this time last year was 11 on average) to months. This method of deploying ransomware can provide attackers more time to identify lucrative data including backups which, if encrypted, can severely impact recovery time making it a mission-critical threat. 

Because attackers are present inside systems for so long, encrypting or wiping backup after backup, an organisation may be forced to go back months to access a system restore. In a fast-moving, high data generation world, it is unlikely that a months (or weeks) old backup will bear any semblance to a business position at the point of ransomware launch.

Why are ransomware dwell times getting longer, and why should you be on high alert?

1. “Quiet” attacks are more likely to bypass cybersecurity defences  

Think about a typical ransomware attack on a well-defended business. The moment malware is launched, a fleet of cybersecurity mechanisms jump into action before extended downtime and irreparable harm occurs. That fast detection and diffusing means a lesser opportunity for cybercriminals to fully deploy an attack and benefit financially.

To outsmart increasingly intelligent monitoring, detection and response tools, threat actors mustn’t make so much noise – and be more incognito. Sneaking into systems and files slowly and gradually is less likely to set off alarm bells, leading us to our next point…

2. Criminals buy time for other high-value malicious activities  

Monitoring tools usually only identify ransomware once an attack is launched. But if malware hides in a network for an extended period, threat actors can undertake other high-value activities such as lateral movement across a network and reconnaissance to identify the sharpest paint point for exploitation further down the line.  

It’s not just passive activity, either. Cybercriminals typically engage in credential dumping, data theft and data and application wipes, in addition to covert penetration testing.  

 3. Hidden ransomware is associated with maximum returns  

With knowledge and data in their back pocket, cybercriminals can deploy a ransomware attack that causes the most possible pain and desperation. Thus, promising more lucrative ransom demand. And with sensitive data attracting a high price on the dark web, for many threat actors a ransom is simply a bonus achieved with scarce extra effort.  

What can you do to mitigate the impact of hidden ransomware attacks? 

• Backup storage immutability as part of a mitigation strategy. This offering in the anti-ransomware arsenal works by making the storage where backups are held unable to be modified by ransomware or any other method. Potentially therefore, criminals are prevented from encrypting backups during their attack, overcoming the threat of having no available recovery points.  
• Monitoring solutions that look not just for suspicious network activity, but changes to file sizes (when ransomware often dwells) across all types and systems too. Hidden ransomware is designed to evade typical monitoring strategies and tools, so we advise speaking to a cybersecurity specialist about implementing a bespoke strategy and stack of detection tools.  
• Intrusion detection systems that focus on internal movements, patterns and behaviours in addition to a Next Generation Firewall. Having a robust understanding of “what secure looks like” enables your business to respond more effectively, even to the slightest anomaly that could be a signal of hidden ransomware.  

• Network segmentation that prevents lateral movements and minimises reconnaissance. Sneaking around to learn about your organisation’s weak spots is a key intention of hidden ransomware. Segmentations makes it as difficult as possible for your mission-critical functions and data to be harmed.  
• Multilayer security that is just as powerful at preventing as it is responding. Cybersecurity experts now say that ransomware attacks are, unfortunately, inevitable. Building in multiple points of failure, a tightly monitored backup and failover process and deploying the most advanced (ideally AI-driven) cybersecurity software you can is strongly advised.  

Concerned about your security posture? Spending more time keeping up with the latest security solutions than you are developing your business?  Speak to Node4  about our Security as a Service solution to defend your business from advanced cyberthreats. 

Our cloud-based solution proactively monitors networks, systems, and applications 24/7, delivered from our Security Operations Centre (SOC). Read more here.