SE Labs

Special Edition
Computer security testing comment and analysis from SE LABS Ⓡ

Ransomware evolved – Persistent Ransomware Attack

A set of backups may no longer be enough

Ransomware infecting backup tape

A journalist asked us if we felt that ransomware attackers had evolved. But the truth of the matter is, there’s no need for them to do so judging by the large number of publicised cases in which they are able to achieve success without being too creative.

Barely a few days go by without some report of a ransomware attack (like these reports from the last 7 days). For those organisations not prepared to pay criminals to have their data decrypted the solution is obvious – wipe the disks and restore from backups. But that only works up to a point.

Weak security makes life easy for ransomware attackers

Non-targeted ransomware will float around the internet, being sent to random targets via links in emails and other vectors. These should be easier to stop than lightly customised versions uploaded to systems that have already been compromised by the attacker.

Ransomware attack
Ransomware can be a payload in a wider attack

If you think of ransomware as a payload, rather than an attack in its own right, then clearly defence systems aren’t up to the job, or aren’t being deployed correctly. Or at all.

For example, if someone gains access to your system they can do all sorts of damage or steal things. Part of that could be uploading some ransomware to make money directly from the attack. At that stage you’d hope that some sort of anti-malware product would kick in a thwart the bad guy.

So then the question is, what anti-virus (or similar) are these hospitals, schools and businesses using? If nothing, then the ransomware attackers don’t need to evolve, ever. If the latest next-gen EDR, then clearly they still don’t need to evolve much!

Backups are only as good as the data they hold

Currently, the “lucky” victims in ransomware attacks are the organised ones that don’t just have a good set of backups, but a procedure that restores them quickly, with minimum disruption to their core activities.

However, it’s all too apparent that these organisations are not in the majority. It’s not unusual to see businesses, very publicly, limp along for weeks afterwards trying to get everything running smoothly again.

Done correctly, backups are a ransomware attacker’s worst enemy. But that tactic is not going to last.

Ransomware evolved

If we were ransomware attackers (and not the good guys!) and wanted continued success in the long term, we might use a Persistent Ransomware Attack (PRA). We’d poison the backups over the long term before making demands.

The threat would sit quietly on systems slowly encrypting small numbers of files over a long period of time. These encrypted files will be absorbed into backups. After a period of months they would replace many of the good files that had been backed up.

As the system rotates backup tapes into service, or abandons old backup sets , the backup becomes corrupted. When the final demand for a ransom comes, the backups will no longer be a viable solution.

The real way to solve the problem is to fix the security issues that allowed the malware into the systems in the first place. That requires companies to take a hard look at the security technology they are using. They should patch all systems and, of course, test the network with relevant attacks to highlight any weaknesses.

Only once organisations stop making it so easy to deploy ransomware will we see attacks evolve.


SE Labs Ltd is a private, independently-owned and run testing company that assesses security products and services. The main laboratory is located in Wimbledon, South London. It has excellent local and international travel connections. The lab is open for prearranged client visits.


SE Labs Ltd
Hill Place House
55A High Street
SW19 5BA