In a recent analysis of the WastedLocker ransomware, Sophos detailed some of the methods used by the ransomware family to evade typical behavioral detection. By now, nearly everyone is familiar with how ransomware operates. Once a victim is infected, data is potentially stolen, backups are deleted, and the ransomware goes to work encrypting files. During the encryption process, most ransomware opens and encrypts the files directly. This is also how most security solutions that monitor for file events detect it. To get around this, WastedLocker is mapping files into memory before encryption. Windows’ Memory Manager keeps track of memory being modified and will write it all back to disk after enough modifications. Because of this, security solutions may see a trusted system process and ignore the encrypted files being written back to the disk.
Malware authors are constantly looking for new ways to avoid detection, but much of it can be stopped at an early stage. Unpatched servers with vulnerabilities in services that listen for connections from the Internet are frequently used by threat actors to gain access to organizations. Keeping servers up to date with security updates is critical. Phishing is by far one of the most common vectors of infection. Educating employees on phishing and security awareness can go a long way in preventing all types of malware infections. Remote Desktop Protocol (RDP) is another common attack vector in ransomware infections. Administrators should avoid exposing RDP to the Internet whenever possible. If remote access is needed, it should at least be protected a corporate VPN or multi-factor authentication.