Researchers Explain How Ransomware Can Bypass Security Checks

  • 1
  • 1

Ransomware attacks have long been a menace for internet users, particularly, the business sector. Despite implementing adequate security practices, various businesses and organizations frequently become a victim of ransomware attacks. Recently, researchers have highlighted how most ransomware can bypass security checks.

Common Ransomware Tactics To Bypass Security

Researchers from SophosLabs have recently published a detailed whitepaper highlighting how most ransomware bypass security measures. They analyzed numerous ransomware variants infamous for their devastating attacks and found numerous tactics that essentially help the ransomware.

Sophos analysis of how ransomware bypass security checks
Source: SophosLabs

Here is a quick review of the techniques SophosLabs have highlighted in their research.

Code Signing

A risky, yet viable approach most ransomware apply to bluff security programs is code signing. The attackers sign malicious codes with legit authentication certificates. Thus, they evade all checks from the security tools for unsigned codes.

Privilege Escalation And Lateral Movement

Numerous ransomware exploit various vulnerabilities to bypass restricted accesses. They gain elevated privileges by abusing stolen credentials.

Following privilege escalation, the attackers then disable the defense mechanism of the target device and install a RAT to laterally spread within the system. For instance, they take over the Remote Desktop Protocol (RDP) and destroy any backups to leave no recovery options for the victim.

Network First

Ransomware attacks on businesses often employ the ‘network first’ approach. Since most organizations store business documents across multiple servers connected on a network, the ransomware tends to encrypt the network drives first. This strategy effectively targets the employees, both in-house and remote, of the victim firm, making them unable to work.


Most modern CPUs possess Simultaneous Multithreading (SMT) or Hyper-Threading (HT) technology for better performance. Hence, the attackers also design the ransomware in way to exploit this technology for subsequent faster and more devastating damage to the victim.

File Renaming And Encryption

Ransomware endows damages to the victim by encrypting the files while copying or overwriting them. It then renames the file names to let the user visualize the encrypted, and hijacked data. Whereas, this mechanism also helps the ransomware detect already encrypted files to avoid double encryption. Moreover, this also prevents encryption in case of another ransomware attack.

They have also analyzed some other techniques including change of wallpaper, encryption by proxy, etc.

With this analysis, the researchers believe that IT professionals might get an insight into common tactics by ransomware to design adequate countermeasures.

Let us know your thoughts in the comments.


Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!