If you have been around long enough to keep up with ransomware approaches, the variants that are used to attack organizations, you will understand the evolution that has progressed. Bad actors began their journey with simple ransomware variants. This is the equivalent of ancient romans lobbing cannon balls over the fortress hoping they inflict massive damage in the battle.
Today these warriors are leveraging stealth fighters and nuclear grenades to impact damage that is resulting in massive financial impact, and overall negative reputations across the globe.
The goal of bad actors is to make money.
Not a few thousand but millions of dollars. They are in it for the prize that makes them wealthy individuals that are protected by their countries that have no interest in stopping them. In fact, some may say their countries support them and can leverage them for political gain.
With the goal of wreaking havoc and making money, bad actors have gotten far more sophisticated in their attacks. Their arsenal consists of ransomware variants that have evolved. In the past a simple variant, such as Xorist or TimeTime, was executed randomly in the data center. Corrupting random content which may or may not force a company to pay a ransom. Organizations recognized this threat and started to implement defensive tools that would prevent an attack and if not, recover using their existing disaster recovery and backup solutions.
As the arms race escalated and the bad actors started to make money, but more importantly embraced new technology they moved from simple variants to advanced and more sophisticated approaches.
This is where shadow encryption entered the arms race.
Shadow encryption was introduced in July 2021 when the ransomware gang Conti allegedly introduced LockFile. The LockFile ransomware variant used intermittent encryption to encrypt every 16 bytes of a file, leaving the rest unimpacted.This was specifically designed to evade detection by tools that look for obvious signs of encryption through unusual change in data compression rates.
Intermittent encryption changed the game as it was a challenge to detect. Data that was corrupted by LockFile did not generate the "signals" that most tools could detect and alert on. However, the bad actors didn't stop there. They continued to use technology to improve and advance their arsenals. Data encryption is a common approach to variants in their arsenals.With intermittent encryption being just the start, LockFile became one of the most prominent crime families in the ransomware game. Many took notice of this and continued to embrace shadow encryption and took it to the next level.
Around the same time that LockFile launched the Chaos ransomware variant was introduced. This variant took shadow encryption to the next level and utilized another form of shadow encryption based on Base64 algorithms. Base64 encoding helps conceal the true nature of ransomware corruption. By converting binary data into an ASCII string format, it makes the malicious code less recognizable to security tools and easily goes undetected. This approach deepened the bad actors shadow encryption strategies and generated great success in impacting organizations and forcing them to pay ransoms.
Shadow encryption has evolved significantly to include approaches that are nearly impossible to detect.
Beyond intermittent encryption bad actors have embraced approaches that avoid detection. This includes encrypting files in memory rather than on disk, deploying multiple encryption algorithms in layers to complicate decryption efforts and evade detection, encoding in more advanced algorithms such as Base64 to obfuscate the payload and bypass security filters.
Organizations need to up their game, use AI, and get smarter against shadow encryption. The rise of shadow encryption represents a significant threat in the evolving landscape of ransomware attacks. As cybercriminals evolve and increasingly adapt sophisticated ransomware variants, and behaviors, traditional data protection and storage-based detection strategies struggle to keep pace. This evolution not only complicates detection strategies but also amplifies the potential for data loss, high recovery costs financial penalties and reputational damage to organizations.
To combat the growing shadow encryption trend, it is imperative for businesses to enhance their defenses by leveraging advanced technologies, including AI-driven solutions. There are few technologies that can detect it. In fact, there is currently only one.
To get an inside look at our AI, read this paper from ESG. To add CyberSense to your Cyber Resilience strategy, contact us at This email address is being protected from spambots. You need JavaScript enabled to view it.
About the Author
Jim McGann is VP, Strategic Partnerships, at Index Engines.