It seems like every week, a new variant of ransomware is discovered in the wild. Some statistics state that ransomware changes every 30 days with major versions coming out at least once a year. Ransomware programmers are consistently trying to improve their product to avoid detection by common tools and the new Trickbot version is built with this in mind. ZDNet reported that Trickbot is now using a new infection module which runs completely in memory and encrypts the data while it is being downloaded. (See Here) This thwarts much of the deep packet inspection tools and its ability to run in memory is another way to avoid detection. A couple weeks ago I posted about another ransomware that creates a VM inside a VM to avoid detection. The crimeware is trying to improve; how are you doing in your cyber defenses?
This raises a few questions that defensive cybersecurity practitioners should be aware of – how well do your tools do their job? Are you detecting what you need to detect to keep your enterprise secure. Malware Bytes in their annual report shows that ransomware detections are down (See Here) but this trend was mostly because some of the older ransomware families have faded away and are being replaced by newer variants. Also there is an increase in ransomware attacks against businesses as the criminal enterprises are starting to focus on a slightly higher payout than the end users at home. 2020 will probably see that number reverse though because of the increased frequency of working from home because of COVID. So I ask the question again, is your intrusion detection software doing its job. I had a long talk with some of the people at Mandiant and they spoke with me about their acquisition of Verodin and what that brought into their suite of tools. They now have the ability to verify whether tools are in fact working to detect the threats they were designed for. I have seen varying statistics on how reliable custom written detection tools are but it would be great to verify whether the tool was doing its job before deploying it otherwise you may be missing an attack in your midst.