BLOG

What is Crypting and How Does It Work?

7 minute read

Ransomware attacks against enterprise targets are becoming increasingly common, with more than 230 million such attacks reported in the first half of 2022. But as organizations continue to shore up their defenses against ransomware and other kinds of cyber attacks, cybercriminals are deploying new tools and strategies to prevent targets from detecting the malicious programs used to penetrate enterprise networks.

In this week’s blog, we’re taking a closer look at just one of these tools: crypting. You’ll find out what crypting is, how it helps cybercriminals penetrate enterprise networks with malicious code, and how you can safeguard your organization against threat actors who use encryption to spread malicious code.

What is “crypting”?

Crypting is the practice of developing, purchasing, or using a specialized software program (sometimes known as a crypter) to encrypt, obfuscate, or modify a known malware program in order to evade signature detection by antivirus and other security programs.

As digital threat actors create or acquire malware applications and use them in cyber attacks, the developers of antivirus software investigate those applications and update their products to ensure that new and emerging malware attacks can be detected. Crypting allows digital adversaries to modify the code of known malware programs to evade detection by antivirus programs, allowing them to successfully penetrate enterprise networks and damage critical systems or steal and ransom data.

What is malware?

The term “Malware” describes a software program, script, or a piece of malicious code used by digital adversaries to damage, infect, or compromise a targeted machine or network. Ransomware, computer viruses and trojans, worms, keyloggers, spyware, and rootkits are all examples of malware. Malware is a portmanteau of the words “malicious” and “software”.

How does crypting work?

Crypting allows digital adversaries to spread malicious code by first encrypting the code to evade antivirus detections. Here’s how the process works:

  1. Acquiring a Malware Program – The crypting process begins with a digital adversary acquiring a malicious software program that can be used to damage or infect a target network.
  2. Accessing a Crypter – Digital adversaries can access crypters by purchasing them in illicit marketplaces on the deep and dark web. Some adversaries with programming capabilities can build their own crypting software for encrypting malware.
  3. Encrypting the Malware – After gaining access to a crypter, the digital adversary uses it to encrypt or modify the malware, altering its signature and reducing its vulnerability to detection by antivirus software. The encrypted code can be reassembled into a working program to further mask its identity.
  4. Distributing the Encrypted Malware – A digital adversary armed with encrypted malware can begin taking steps to distribute the payload. Malware attacks can be delivered via phishing or compromised websites, spammed messages on social media or business collaboration software, with an impersonation attack, or via a spoofed domain. 
  5. Penetrating the Target Network – When a target unknowingly downloads and executes the digital adversary’s encrypted malware, the malicious program will decrypt itself and begin the process of infecting the target network or machine.

What does a crypter do?

Crypters apply an obfuscation method onto a malware file that changes its signature and reduces or eliminates the possibility of detection by antivirus software. The resultant output is a seemingly harmless file known as a stub that can be distributed by digital adversaries to unknowing victims. 

In addition to hiding the malware source code from antivirus, crypters also add some code to decrypt the malware when the file is opened. When an unknowing target opens the stub file, the malware file is automatically decrypted and executed on the target’s machine.

What are the different types of crypters?

The crypters used by digital adversaries can be classified based on their functionality and the extent to which they allow malware files to evade antivirus detection.

The two main types of crypters are scantime crypters and runtime crypters.

The key difference between these two kinds of crypters is that scantime crypters may only decrypt a malware file saved on a disk before it is executed, while runtime crypters can decrypt a malware program while it is running.

When a scantime crypter is used, antivirus detection can only be evaded while the malware is saved as an idle file on disk. A scantime crypter can hide malware from an antivirus when the file is scanned, but the requirement to decrypt the file before execution means that the malware can be detected by antivirus while it is running.

A runtime crypter can be even more sneaky, allowing the malware to evade antivirus detection when the program is run. Instead of decrypting the malware file before execution, a runtime crypter exploits the Windows API in a way that allows the malware file to be decrypted and loaded into memory as a separate process before it is executed on the target’s machine. 

This process allows the malware to run on the target machine while evading antivirus detection, and the malware may even be re-encrypted before the file is closed to avoid rousing suspicion. Digital adversaries aim to build runtime crypters that are fully undetectable (sometimes abbreviated as FUD), meaning that the malware cannot ever be detected by antivirus.

Crypting vs. encryption: what’s the difference?

Data encryption is a process that transforms human-readable data into a seemingly random string of characters that can only be decoded by an authorized user with access to the correct cryptographic key. 

While encryption is often used by white-hat security experts to protect sensitive data against theft or misuse by malicious actors, those same actors can also use encryption techniques to conceal malicious software payloads or to encrypt the target’s own data as part of a ransomware attack.

Crypting specifically refers to the use of data encryption by digital adversaries to conceal malware against signature detection by antivirus software programs. 

How to safeguard data security against crypting attacks

An effectively crypted malware file simply cannot be detected by the antivirus software you trust to protect your network – so what options are left? Below, we highlight three strategies that you can use to help safeguard your enterprise data against crypting attacks.

Train staff members to recognize suspicious communications

Digital adversaries unleash malware attacks against enterprise organizations by targeting their executives and employees with malicious communications across multiple attack vectors. These typically include targeted phishing or spear phishing messages that leverage social engineering techniques and encourage the recipient to download a file attachment or visit an external website (often a spoofed domain) containing malware.

Cybersecurity awareness training can help staff members within your organization recognize malicious emails and take the correct actions to report them instead of falling victim to a malware attack.

Maintain strong email security policies

Organizations should maintain email security policies that explicitly discourage employees from opening unexpected email attachments, opening email attachments from unexpected sources, or clicking on links within email messages without being certain of the link’s safety. 

Anticipate and detect crypting attacks with digital threat intelligence

Digital threat intelligence is the continuous process of identifying and analyzing the behavior of digital adversaries and the threats they pose against your organization. A comprehensive approach to digital threat intelligence involves monitoring the public attack surface and the gray space (e.g. the surface, deep, and dark web, social media, email, business collaboration tools, etc.) at scale for indicators of a developing attack, often with the help of artificial intelligence (AI).

When a digital adversary is planning to launch a crypting attack, it is often possible to detect their preparation activities through digital threat intelligence – including things like:

  • Setting up spoofed domains or fraudulent email accounts,
  • Discussing plans for the attack on deep web hacker forums, 
  • Inquiries about malware and crypting tools from dark web vendors in illicit marketplaces.

Monitoring the gray space (democratized spaces where you and your customers interact, where threat actors may also engage) empowers enterprise SecOps teams to recognize the early indicators of a possible attack, anticipate digital threats, and deploy effective countermeasures before a successful attack takes place.

Protect your digital assets from crypting attacks with ZeroFox Digital Risk Protection

Encrypted malware attacks pose a significant risk to enterprise organizations. Not only are crypting attacks difficult or impossible to detect with traditional antivirus tools, the malware payloads they deliver can allow digital adversaries to take control over your network, damage critical systems, or steal sensitive data from your organization.

Digital threat intelligence gives enterprise SecOps teams a fighting chance against crypting attacks, empowering organizations to identify and disrupt attacker infrastructure before networks are penetrated and data is compromised.

ZeroFox provides your enterprise with protection, digital threat intelligence, and disruption to identify and dismantle digital threats to your organization, including encrypted malware threats, from across the public attack surface.

See ZeroFox in action