04 June 2025

Jim McGann, CMO, Index Engines

Ransomware has come a long way from its early days. What began as random attacks on data centres has transformed into a high-stakes game of cat and mouse. The latest tactic raising concern among security professionals is known as shadow encryption, a kind of stealthy and sophisticated method designed to evade traditional detection and force organizations into paying massive ransoms.

At the core of ransomware’s evolution is one unchanging motive, profit. Threat actors are looking to make money and they’re targeting million-dollar payouts. Many operate from regions where enforcement is lax or non-existent, and in some cases, with tacit or direct support from ‘the state.’

Ransomware evolution

In the past, ransomware campaigns often relied on relatively simple malware strains. These would execute in an obvious and indiscriminate way, encrypting data and then immediately demanding payment. Older malware like Xorist or TimeTime were noisy, and their activity could be detected more easily, giving organizations a chance to recover through backup and disaster recovery systems.

As security tools improved, attackers adapted. With access to better technology and growing financial rewards, ransomware authors began to develop more advanced techniques. This led to the emergence of shadow encryption, an approach that prioritizes stealth.

What is shadow encryption?

Shadow encryption refers to methods of encrypting data in ways that avoid triggering traditional security alarms. The tactic gained notoriety in 2021 with the appearance of LockFile, a ransomware variant linked to the Conti gang. LockFile introduced intermittent encryption, a technique that encrypts only portions of each file leaving large sections untouched. This keeps compression ratios and entropy levels within normal ranges, making the attack harder to detect through conventional anomaly-based tools.

But intermittent encryption was just the beginning. As ransomware groups realized the benefits of shadow techniques, they began to add in new strategies to quietly wreak havoc. One method was when Chaos ransomware began using Base64 encoding to conceal itself. By transforming binary data into ASCII format, Base64 makes malicious content less conspicuous to security filters, allowing it to bypass many standard detection systems.

Hard to detect, hard to beat

Modern shadow encryption tactics now go beyond intermittent encryption or encoding tricks. Some are capable of encrypting files in memory rather than on disk, leaving fewer traces for forensic tools. Others apply multiple encryption algorithms in succession, complicating both detection and decryption. These layered methods further blur the lines between clean and compromised data.

The sophistication of these techniques means traditional data protection tools, especially those built around storage or backup detection, are increasingly outmatched. Many organizations find out too late that they’ve been attacked, only realizing the scope of the damage once access to critical data is lost.

What can be done?

The emergence of shadow encryption marks a turning point in how organizations need to think about ransomware defense. Legacy detection tools are no longer sufficient on their own. To keep up with evolving threats, businesses must adopt more intelligent, adaptive technologies.

Artificial intelligence and machine learning can play a critical role in spotting subtle behavioural changes that signal shadow encryption in progress. Unlike traditional tools that rely on known patterns or signatures, AI systems can identify anomalies in how data is accessed, modified, or transmitted, even when those changes are too subtle for humans or some tools to detect.

Beyond AI, organizations should embrace a multi-layered security approach that includes real-time threat detection at the file and memory level, endpoint protection with behaviour analytics, immutable backups and secure, off-network storage and zero-trust frameworks to minimize the spread of malware.

“The emergence of shadow encryption marks a turning point in how organizations need to think about ransomware defense. Legacy detection tools are no longer sufficient on their own.”

Looking ahead

Shadow encryption isn’t just a new trick, it’s a shift in strategy. Ransomware is becoming more evasive, more intelligent, and more damaging. The financial and reputational risks for businesses are growing, and the cost of inaction is rising.

Staying ahead of ransomware now requires more than just reactive security. It demands a proactive approach, with next-gen tools, smarter analytics, and an understanding of how threats are changing. Shadow encryption is here, and it’s only going to get more sophisticated. The question is whether organizations are ready to tackle it.