Building a Resilient World:
The ISAGCA Blog

Welcome to the official blog of the ISA Global Cybersecurity Alliance (ISAGCA).

This blog covers topics on automation cybersecurity such as risk assessment, compliance, educational resources, and how to leverage the ISA/IEC 62443 series of standards.

The material and information contained on this website is for general information purposes only. ISAGCA blog posts may be authored by ISA staff and guest authors from the cybersecurity community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

Read More

How Ransomware Can Evade Antivirus Software

Read More

Categories Arrow

All Posts

How Ransomware Can Evade Antivirus Software

Even if you have up-to-date antivirus software, there’s still a chance ransomware can infect your computer. If cybercriminals know what they’re doing, they can easily evade scans and bypass your protections.

How Does Antivirus Software Work?

Antivirus software constantly searches for malicious software to prevent harmful files from infecting a computer. When its scans catch viruses, trojans or malware, it warns the user of a potential threat and blocks it from doing damage.

While some of the most common types of antivirus software include signature and heuristic-based analysis, there are more advanced versions utilizing artificial intelligence or sandbox detection. Each one identifies malware in slightly different ways.

What Are the Limitations of Antivirus Software?

The limitations of antivirus software involve its scanning method weaknesses and its own vulnerabilities. Although it is generally good at protecting computers from malware, no cybersecurity solution offers a 100% protection rate.

Ransomware losses reached nearly $450 million in the first half of 2023, a sharp increase from the $500 million victims paid in all of 2022. Even though the number of attacks has stayed relatively the same, the financial consequences are far more significant. With the cost rising, it’s much more important to be aware of the limitations of your antivirus software.

How Do Cybercriminals Evade Antivirus Software?

Cybercriminals manipulate code, exploit vulnerabilities or pose as legitimate to evade antivirus software. Here are a few ways cybercriminals can bypass your protections to install ransomware.

1.    Quantity Attack

In a quantity attack, cybercriminals deploy an enormous number of new Trojan versions as quickly as possible. The goal is to overload antivirus companies with samples to analyze, giving their malicious files more time to infect computers successfully.

Most antivirus software detects malicious files and prevents infection using a knowledge base of malware it has previously detected. This approach creates a significant security gap, considering cybercriminals can bypass protections if they mass release ransomware. Since they produce thousands of new viruses daily, a quantity attack is a significant threat.

2.    Obfuscation

In relation to malware, obfuscation is when a cybercriminal makes something look harmless to deceive users into downloading a malicious file. It’s a particularly dangerous method because it isn’t immediately noticeable as a threat. They can hide their intent in multiple ways, including encryption, meaningless code addition or metadata stripping.

This method is ideal for hackers looking to get around signature or heuristic-based analysis since they can simply obfuscate their payloads to get around them.

After cybercriminals trick you into downloading something, they deploy the same methods to hide their attack mechanisms and dupe the antivirus software. For example, they could compress something with packing to make the code unreadable. Although there’s a chance your tools could pick up on the suspicious files, there’s a good chance they won’t.

3.    Trojan Horse

Since a trojan horse mimics legitimate processes to appear harmless, antivirus software often can’t pick up on it. For example, it can take on their icons, names or signatures. Cybercriminals often use special tools to inject their malicious code into trusted programs.

Antivirus software is typically unable to detect or get rid of malicious code hiding behind something it trusts. While trojan horse variants come in many forms, most are equally dangerous because identifying them can be incredibly challenging.

4.    Polymorphism

Polymorphic malware repeatedly mutates to hide from scans. It uses an encryption key and a self-propagating code, meaning it can evade detection and thoroughly infect a system on its own. Since antivirus software relies on searching for fixed signatures, it often doesn’t notice anything.

While this method takes more effort on the cybercriminal’s part, people who know what they’re doing can easily create dynamic code. Even ChatGPT can create polymorphic malware capable of bypassing antivirus software. Although it isn’t supposed to respond to such prompts, knowledgeable users can quickly get around them.

5.    Zero-Day Threat

Instead of using convoluted methods to hide from scans, cybercriminals can target your antivirus software directly. A zero-day threat is a vulnerability the developers are unaware of, meaning there’s no patch scheduled. If they find one, they can take advantage of it and release ransomware before anyone can fix it.

While you can usually prevent this from happening if you keep your antivirus software updated, hackers constantly look for new, unknown vulnerabilities to exploit. Enterprises with a large tech stack will have a harder time searching for potential security weaknesses, making this situation more likely to occur.

Prevent Ransomware Infections

Even though cybercriminals can take advantage of antivirus software’s limitations, you can still prevent ransomware from infecting your computer. Since no single security tool can guarantee complete protection, having multiple backups is a good idea.

Zac Amos
Zac Amos
Zac Amos is the Features Editor at ReHack, where he covers trending tech news in cybersecurity and artificial intelligence. For more of his work, follow him on Twitter or LinkedIn.

    Recent Posts

    Astronaut on a rocket

    Related Posts

    ISA/IEC 62443 and Risk Assessment: New Horizons in the AI Revolution

    Risk assessment has long been an important component of any cybersecurity program and operation for organ...
    Mohannad AlRasan Apr 26, 2024 7:00:00 AM

    Should ISA/IEC 62443 Security Level 2 Be the Minimum for COTS Components?

    A recent white paper published by the ISA Security Compliance Institute (ISCI) and its ISASecure certific...
    Liz Neiman Apr 23, 2024 5:18:27 PM

    How to Secure Machine Learning Data

    Data security is paramount in machine learning, where knowledge drives innovation and decision-making. Th...
    Zac Amos Mar 12, 2024 11:10:47 AM

    The International Society of Automation (ISA) is a non-profit professional association founded in 1945 to create a better world through automation. ISA advances technical competence by connecting the automation community to achieve operational excellence and is the trusted provider of standards-based foundational technical resources, driving the advancement of individual careers and the overall profession. ISA develops widely used global standards; certifies professionals; provides education and training; publishes books and technical articles; hosts conferences and exhibits; and provides networking and career development programs for its members and customers around the world.


    The material and information contained on this website is for general information purposes only. ISA blog posts may be authored by ISA staff and guest authors from the automation community. Views and opinions expressed by a guest author are solely their own, and do not necessarily represent those of ISA. Posts made by guest authors have been subject to peer review.

    We're on social media. Keep in touch!

    © 2024 International Society of Automation. All rights reserved.