Detecting the Undetectable: How CyberSense Combats Today’s Most Evasive Ransomware
Ransomware attacks surged 41% globally in recent months, with three groups dominating the threat landscape: Qilin, Akira, and Play. What makes these variants particularly dangerous is their destructive power and their sophisticated ability to corrupt data while flying under the radar of traditional security tools.
These ransomware-as-a-service (RaaS) operations have mastered the art of evasion, employing tactics specifically designed to avoid triggering security alarms during the most critical phase of an attack: data corruption.
Active since 2022, Qilin has become notorious for its chameleon-like adaptability. This cross-platform threat targets Windows and Linux/ESXi environments through phishing campaigns, exposed RDP services, VPN vulnerabilities, and even supply chain compromises.
What sets Qilin apart is its customizable nature. Each payload is tailored to each victim, with unique file extensions, ransom notes, and encryption modes, making signature-based detection nearly impossible. The group employs intermittent encryption, only encrypting select portions of files rather than entire datasets. This approach dramatically reduces the sudden, large-scale changes that typically alert security systems.
Their technical sophistication extends further: Qilin uses reflective DLL injection to run entirely in memory, leaving minimal disk traces. The malware actively terminates security processes, wipes Windows Event logs, deletes volume shadow copies, and removes itself after execution, systematically erasing evidence of its presence.
Appearing in 2023, Akira has rapidly become one of the most prolific ransomware families, targeting enterprises, universities, and critical services across multiple platforms. The group favors VPN vulnerabilities in Cisco, SonicWall, and Fortinet devices, combined with stolen credentials and phishing attacks.
Akira’s defining characteristic is its partial encryption strategy. Using command-line flags, attackers control what percentage of each file gets encrypted—just enough to render data unusable while avoiding the dramatic system changes that trigger alerts. Their hybrid encryption model, combining ChaCha20 and RSA, delivers blazing speed, compressing the window for detection and response.
The group also excels at “living off the land,” leveraging legitimate tools such as PowerShell, Rclone, and WinSCP for lateral movement and data exfiltration. By weaponizing trusted applications, Akira blends malicious activity with normal system operations. Before encryption begins, the malware systematically kills security processes and deletes backup mechanisms, leaving victims defenseless.
Operating globally since 2022, Play ransomware has targeted government agencies, financial institutions, and manufacturing giants across the US, Europe, and Latin America. Their attack vectors range from MSP compromises that enable downstream attacks to exploit vulnerabilities in RDP, Microsoft Exchange, and Fortinet systems, including zero-day exploits.
Play’s signature evasion technique is block-level intermittent encryption, encrypting selective segments (for example, every other 0x100000 bytes) rather than entire files. This dramatically reduces the footprint of file modifications, making detection extremely difficult. Each attack uses a uniquely recompiled binary with different hash signatures, defeating signature-based security tools.
The group deliberately avoids encrypting system files, preventing crashes that would immediately alert users or trigger automated responses. Data is compressed and segmented for exfiltration before encryption, and ransom notes are strategically placed in obscure locations, thereby delaying discovery until maximum damage is done.
Despite their differences, all three groups share a unified strategy:
Traditional security tools struggle because they’re designed to catch obvious, large-scale anomalies. These variants succeed precisely because they’ve learned to stay beneath those detection thresholds.
The reality is stark: it’s not if your organization will be targeted, but when. Network perimeter defenses, while essential, cannot guarantee prevention. What organizations need is the ability to detect data corruption the moment it begins, regardless of how stealthy the attack.
CyberSense addresses this challenge by continuously monitoring data integrity across critical files and databases. Rather than relying on behavioral patterns or signatures that sophisticated ransomware is designed to evade, CyberSense monitors the actual integrity of your data itself.
When Qilin’s intermittent encryption begins corrupting files, when Akira’s partial encryption modifies even small percentages of data, or when Play’s block-level encryption starts its selective destruction, CyberSense detects these changes in real-time. The CyberSense Research Lab has confirmed CyberSense’s ability to identify attacks from all three variants, as well as thousands of other ransomware families.
This early detection capability is critical. The faster you identify data corruption, the smaller the blast radius, the faster the recovery, and the lower the overall impact. CyberSense provides the confidence that even when sophisticated attackers breach your perimeter defenses, you’ll know when they touch your critical data, giving you the precious time needed to respond, isolate, and recover.
As ransomware groups continually evolve in their evasion techniques, monitoring data integrity is much more than an additional layer of defense. It’s becoming the essential last line of protection.
