Ransomware continues to be one of the most significant threats to organisations. In 2025, attacks are becoming increasingly sophisticated, with cybercriminals relying on obfuscated code and fileless techniques to avoid detection.
This article outlines these methods and the defensive measures organisations can take, particularly through managed SOC services such as Managed Detection & Response.
Ransomware evolution: stealth over speed
Fileless attacks are rising and now account for a large portion of incidents. These attacks bypass signature-based security solutions, making them difficult to detect. In 2023, 79% of targeted attacks already used "Living-off-the-Land" binaries, and this trend continues.
Attackers have gradually abandoned traditional, overt methods in favour of discreet approaches that are harder to detect. The objective remains the same: encrypt data and demand ransom, but the methods have become significantly more complex, requiring advanced detection capabilities to counter them.
Obfuscation techniques: hiding code in plain sight
Obfuscation is a core technique in the ransomware developer’s toolkit. It deliberately makes code hard to read for analysts or automated systems while keeping the malicious functionality intact.
Common obfuscation mechanisms include:
- Base64 encoding: Transforms code into seemingly random character strings. For example, a PowerShell command can be encoded like this:
powershell.exe -e powershell.exe -EncodedCommand
QQBkAGQALQBUAHkAcABlACAALQBBAHMAcwBlAG0AYgBsA
HkATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZA
BvAHcAcwAuAEYAbwByAG0AcwANAAoAWwBTAHkAcwB0AG
UAbQAuAFcAaQBuAGQAbwB3AHMALgBGAG8AcgBtAHMALg
BNAGUAcwBzAGEAZwBlAEIAbwB4AF0AOgA6AFMAaABvAHc
AKAAiAE4AbwBtAGkAbwBzACAAbgBlACAAdgBvAHUAcwAgA
HIAZQBjAG8AbQBtAGEAbgBkAGUAIABwAGEAcwAgAGQAJwB
lAHgA6QBjAHUAdABlAHIAIABkAHUAIABjAG8AZABlACAAdA
ByAG8AdQB2AOkAIABzAHUAcgAgAEkAbgB0AGUAcgBuAGUAdA
AgAGMAbwBtAG0AZQAgAOcAYQAgADoAKQAiACwAIAAiAE4
AbwBtAGkAbwBzACAA6gB0AHIAZQAgAGwA4AAiACkA
When executed, this command opens a window displaying: “Nomios recommends not executing code you find on the Internet without analysing it.”
- XOR operations: Combines each byte of code with a secret key. This simple but effective technique can be repeated with multiple keys, making de-obfuscation a complex puzzle for analysts.
- Dead code insertion: Adds meaningless instructions to confuse static analysis.
- Polymorphism: Automatically modifies code at each execution while preserving its function.
These obfuscation techniques allow ransomware to effectively bypass signature-based detection systems and considerably complicate post-incident forensic analysis work.
As revealed by a recent ransomware analysis at Nomios, the de-obfuscation process can require significant time and resources, sometimes mobilising entire teams for several days. This is why outsourced SOC services are becoming essential for many organisations.
Fileless attacks: the invisible threat
Fileless malware represents a notable shift in ransomware tactics. Unlike traditional ransomware, which installs an executable on disk, fileless attacks run entirely in memory, leaving little or no trace on the file system.
Key characteristics include:
- Use of legitimate tools already present on the system (Living-off-the-Land)
- Direct execution in memory without touching the disk
- Frequent use of PowerShell or the .NET framework
- Persistence through the registry or scheduled tasks
By leveraging native system tools, these attacks are difficult to detect for traditional file-based security solutions. According to Halcyon.ai data from early 2025, Living-off-the-Land techniques now define modern ransomware campaigns, allowing attackers to minimise their digital footprint. Detecting these attacks requires advanced behavioural monitoring solutions.
The modern attack process: Sequential deployment
Modern ransomware attacks are no longer single-step events. They follow a methodical sequence, often spread over days or weeks, to avoid detection. Attackers deposit their payload incrementally, remaining unnoticed until the final encryption stage.
Typical stages of a fileless attack include:
- Initial execution: Base64-encoded PowerShell scripts, often delivered via malicious documents
- Persistence establishment: Scheduled tasks or registry modifications
- Internal reconnaissance: Mapping the network and identifying high-value targets
- Lateral movement: Propagating through vulnerabilities or compromised credentials
- Memory injection: Loading malicious code directly into legitimate process memory
- Data exfiltration: Stealing sensitive information before encryption (double extortion)
- Final deployment: Executing the full encryption payload
This staged approach maximises impact while reducing the chance of early detection. SOC teams use advanced event correlation to detect these sequences and respond promptly.
The strategic use of malicious DLLs
Malicious DLLs (Data Definition Language) are central to many modern ransomware attacks. Often developed in .NET, these libraries are obfuscated and loaded directly into memory. Their main functions include:
- Calling system functions
- Bypassing security mechanisms
- Facilitating lateral movement
- Executing encryption routines
Nomios SOC analyses show that reconstructing a malicious DLL can take several days of intensive work, even for experienced experts.
As revealed by a recent incident blocked by the Nomios SOC, complete reconstruction of a malicious DLL can require several days of intensive forensic analysis work, even for seasoned experts.
Polymorphic ransomware
Polymorphic ransomware adds another layer of sophistication. It constantly modifies its code and signature, generating unique variants with each infection. Techniques include:
- Code mutation during execution
- Random code generation
- Insertion of harmless instructions
- Dynamic reorganisation of functions
These capabilities make detection by traditional solutions nearly impossible.
Defence strategies against advanced ransomware
Defending against these threats requires a layered approach that combines technology with expertise:
1. Enhancing behavioural detection
- Deploy EDR (Endpoint Detection and Response) solutions capable of analysing behaviour rather than relying solely on signatures
- Enable advanced logging of PowerShell and scripts
- Implement behavioural anomaly detection systems
2. Limiting the attack surface
- Restrict execution of unsigned PowerShell scripts
- Apply the principle of least privilege to limit lateral propagation
- Segment the network to contain potential infections
3. Strengthening digital forensics
- Develop skills in volatile memory analysis
- Implement network traffic capture and analysis tools
- Establish incident response procedures specific to fileless attacks
4. Integrating a modern SOC
- 24/7 infrastructure monitoring
- Behavioural analysis capabilities
- Expertise in detecting obfuscation and fileless attacks
- Rapid incident response procedures
Ransomware using obfuscation, fileless execution, and polymorphic techniques is increasingly hard to detect and analyse. The most effective defence combines advanced SOC technology, skilled analysts, and an organisation-wide security culture.
Expert Insights
Ransomware using obfuscated code and fileless attack techniques represents a major threat to organisations in 2025. Their increasing sophistication, combined with the adoption of polymorphic techniques, makes their detection and analysis increasingly complex.
For analysts and cybersecurity managers, understanding these advanced mechanisms is essential to implement effective defence strategies. Beyond technical solutions, it is a race for expertise between defenders and attackers that continues.
Faced with this constantly evolving threat, the most effective approach remains the combination of advanced SOC technology, high-level human expertise, and a security culture shared by the entire organisation.
Get in touch with our security experts
Our team is available for a quick call or video meeting. Let's connect and discuss your security challenges, dive into vendor comparison reports, or talk about your upcoming IT-projects. We are here to help.
