Encrypted Malware: Next Generation Threat?

Security analysts have calculated that over 90% of all internet traffic is now encrypted. While data encryption is essential for privacy and confidentiality, it does create dangerous blind spots in security due to malicious activity such as encrypted malware.

Antivirus suites and firewall systems monitor potential threats, though they cannot easily detect malicious malware lurking inside encrypted files or within encrypted data flows.

Encrypted Malware

This article delves into the detail of encrypted malware, discusses how it works, and which steps you can put in place to defend against it.

What Is Malware?

Malware is software that runs malicious code and is often spread by a phishing scam. A hacker will send a flood of emails with malicious links or attachments. If the recipient clicks on the link or attachment, a malware file downloads to their device, thus beginning the attack.

An increasingly common type of malware payload you may have heard of is ransomware. Ransomware infects a target device and then encrypts all of the data on that device; Cybercriminals can then demand payment in exchange for decrypting the data.

What Is Encrypted Malware?

As the name suggests, encrypted malware is much the same as standard malware but incorporates encryption technology to allow it to hide in plain sight and further boost its effectiveness.

The malware payload (such as ransomware or scareware) may also be encrypted, making it harder for antivirus software and intruder prevention systems to detect.

How Is Malware Encrypted?

As we know, SSL encryption is crucial for any website or application that contains sensitive information such as credit card numbers and passwords. SSL certificates are a powerful defence tactic against malicious agents trying to eavesdrop on a user’s internet activity. 

Unfortunately, hackers can use encryption, too. They utilise SSL/HTTPS to hide their malicious malware. Encrypting malware can often allow it to slip past traffic intrusion prevention sensors undetected. Free and low-cost HTTPS certificate providers make it easier for hackers to encrypt their malware.

How Encrypted Malware Works

It’s estimated that over 70% of malware uses encryption to disguise itself as it traverses the internet and lurks inside emails. By encrypting malicious end-to-end communications and payload, encrypted malware has become increasingly difficult to stop.

Cybercriminals know that organisations face obstacles when decrypting and inspecting traffic, and they use these blind spots to their advantage. Hackers who deploy encrypted malware take advantage of encryption and use it to bypass outdated inspection devices.

Is Encrypted Malware Harder to Defend Against?

By design, cryptography scrambles the user data, code, or application so hackers using packet sniffers cannot intercept, read, and steal that data. While that’s what protects legitimate data as it travels through online networks, it can also safeguard malicious malware from detection.

Malware creators are increasingly using encryption to protect their malicious operations. They apply it along multiple stages of the malware’s infection lifecycle. For example, encryption aids in the successful delivery of malicious code, and it conceals the command-and-control communication between the malware (such as a botnet) and its operator.

How to Detect Encrypted Malware

Network security incorporates many facets, from email monitoring to endpoint protection (EPP), to name just two. However, a critical aspect of protecting your networks, including sensitive data, applications, and systems, involves dedicating resources to defend against encrypted malware. 

IT security administrators and their tools must gain better visibility into encrypted traffic that moves across the network. Security providers have developed techniques to detect malware in encrypted traffic to enhance visibility. 

One protection method involves the Man-in-the-Middle (MITM) technique, usually used by cybercriminals to steal data, but this time the method is used to detect encrypted malware.

Your IT security team can place inline proxy servers inline with to terminate/decrypt the SSL/TLS sessions. Then, the inspection of the now un-encrypted can be scanned by NGAV software for potential malware, and the proxy re-encrypts and sends the traffic on to its destination (e.g. Email server)

How to Defend Against Encrypted Malware

Everyone who accesses corporate network resources must do their part to protect them. Even though your company has IT security tools and processes in place, encrypted malware can bypass some security measures, arriving as a phishing or other social engineering scam on the individual user’s device.

The following are best practices for users and administrators alike;

– Administrators

Ensure that your organisation’s intrusion prevention systems and firewalls are configured correctly and running the latest code. Hackers spot vulnerabilities in your system and exploit them. So, be sure that your protection systems are up to date and optimised for maximum protection. 

Furthermore, ensure that you use deep packet inspection and SSL inspection to identify and block threats through encrypted web traffic.

When purchasing antivirus tools, ensure the vendor is credible and has a successful track record. They are responsible for keeping their systems and software current. 

Be sure to have a documented, scheduled backup system that includes offline and secure cloud backups. Backups can be what saves an organisation from an otherwise devastating ransomware attack. 

Cloud backups ensure that local physical servers are not affected by a malware attack, but such offline cloud storage can still be impacted by a ransomware attack.

Don’t forget to read our in-depth article discussing our immutable backup and air-gap technology service that blocks ransomware from encrypting your local or cloud backups.

– Individual Users

When online, verify that the website or portal you are accessing is legitimate whenever you provide login credentials or personal information. Type the URL in yourself rather than clicking a link from an email or text message. The same applies when you’re performing financial transactions online.

Use a robust password manager application to protect you from DNS spoofing, which uses phoney URLs that appear legitimate. A password manager cross-references URLs, which weeds out any spoofed websites.

If you have the option, connect to your network through a Virtual Private Network (VPN). VPNs are subscription-based, and your company likely has one available. VPNs are also available for personal use.

Main Threat of Encrypted Malware

Because encrypted malware can infiltrate devices and networks, the greatest threat they pose is data theft, encryption, or destruction. Whether data is stolen or destroyed, your entire organisation is compromised. The company takes an immediate financial hit because business processes halt as IT teams work to restore systems. 

Recovery comes with other heavy costs, including disposal and replacement of affected devices. Network security systems must be updated, modified, or replaced altogether.

Hackers might have accessed bank accounts and stolen funds if financial information was compromised. The resulting damage to your organisation’s finances and reputation can be catastrophic.

Conclusion

The benefits of encryption technologies certainly outweigh the potential downsides of the encrypted malware threat, but this threat must not be ignored.

Sadly, the same encryption technology that protects your data as it travels over the internet can also conceal malware as it crosses the same path to your network.

As millions of malware attacks are sent through encrypted SSL/TSL traffic each year, such encrypted attacks are becoming harder to spot; thus, using next-generation antivirus (NGAV) and endpoint protection (EPP) is the way forward.

Further Technology Articles