Malware and Ransomware Gangs Use TLS to Cover Their Tracks
Malware Communications Can Take Advantage of TLS Encryption to Avoid Detection by Defenders.
Since websites and apps are widely adopting TLS (Transport Layer Security) and communicate over HTTPS connections, unencrypted traffic draws even more attention, as it’s easier for cyber analysts and security tools to identify malicious communication patterns.
Unfortunately, threat actors are also aware of this, and they’ve made it a priority to adopt TLS and conceal the contents of malicious communication.
According to a report published by Sophos, last year 24% of malware was using TLS to communicate. However, today that proportion has risen to 46%.
Over the past decade, and particularly in the wake of revelations about mass Internet surveillance, the use of TLS has grown to cover a majority of Internet communications. According to browser data from Google, the use of HTTPS has grown from just over 40 percent of all web page visits in 2014 to 98 percent in March of 2021.
It should come as no surprise, then, that malware operators have also been adopting TLS for essentially the same reasons: to prevent defenders from detecting and stopping deployment of malware and theft of data.
It’s easier to find signs of malicious activity in unencrypted traffic since recent releases of malware tend to communicate more frequently with their operators, and when that happens, increasingly larger volumes of profiling information about the target machine and network are sent back to those operators. After identifying the victim, malware increasingly communicates with its operator(s) in order to perform network reconnaissance and to send the collected information to its control server.
According to Sophos, a large portion of the Transport Layer Security usage growth can be linked in part to the increased use of legitimate web and cloud services protected by TLS as unwitting storage for malware components, as destinations for stolen data, or even to send commands to botnets and other forms of malware.
Heimdal® Threat Prevention - Network
- No need to deploy it on your endpoints;
- Protects any entry point into the organization, including BYODs;
- Stops even hidden threats using AI and your network traffic log;
- Complete DNS, HTTP and HTTPs protection, HIPS and HIDS;
Additionally, over the past year, researchers have seen a growth in the use of TLS in ransomware attacks, especially in manually-deployed ransomware, mainly due to attackers’ use of modular offensive tools that take advantage of HTTPS.
The vast majority of what we detect day-to-day in malicious TLS traffic is from initial-compromise malware: loaders, droppers and document-based installers reaching back to secured web pages to retrieve their installation packages.
However, since ransomware is less reliant on stealthy communication once it has done the damage, the adoption rate of TLS by ransomware is much lower than the average across all malware families.
The best way to protect your organization from the devastating effects of ransomware and malware attacks is to prevent them from entering your system in the first place.
We at Heimdal™ Security promise to deliver the industry’s best threat prevention tools which identify and stop even the most advanced known and potential threats including malware and ransomware.
A good antivirus is essential for the cybersecurity of any company, but not enough. To be fully protected, we recommend you choose Heimdal™ Next-gen Endpoint Antivirus, a powerful tool that can offer DNS filtering, real-time scanning, traffic-based malware blocking, and multi-layered AI-powered protection. You can also consider our Endpoint Prevention, Detection and Response (EPDR) platform – a multi-layered security suite that brings together threat hunting, prevention, and mitigation in one package, for the best endpoint protection.