IT Brief Australia - Technology news for CIOs & IT decision-makers
Australia
International Women’s Day
392 opinions Read now

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Moody enterprise server room chains ransomware hidden encryption
#
Storage
#
Malware
#
Data Protection

Polymorphic ransomware, shadow encryption hinder recovery

Thu, 26th Feb 2026
Author image
By Shannon Williams, News Editor

Index Engines has published new findings from its CyberSense Research Lab, pointing to a shift in ransomware design toward polymorphic malware, partial encryption, and tactics that make recovery harder.

The research draws on samples collected and analysed by the lab, which tracks thousands of new ransomware variants each day. This work feeds into CyberSense, Index Engines' product for detecting corruption linked to ransomware and other destructive activity.

The findings suggest many recent ransomware strains change their behaviour and structure from one infection to the next. They also show wider use of intermittent encryption methods that affect only parts of files. Both approaches can make malicious activity harder to spot and make it more difficult to determine which data remains trustworthy after an incident.

Polymorphic trend

Nearly 90% of samples analysed showed polymorphic behaviour, according to Index Engines. This included variants that replace legitimate files with executable content, blurring the line between data corruption and the insertion of new malicious files.

Polymorphic behaviour can complicate investigations because the malware has no single static fingerprint. It can also increase the effort required to confirm that restored systems and datasets are clean. Organisations may face repeat infections if recovery processes reintroduce altered files.

Jim McGann, chief marketing officer at Index Engines, linked the trend to the pace of ransomware change and new methods used by attackers. "We learned early on that the only way to stay current with emerging ransomware variants is to build a lab that analyzes them daily," he said.

McGann also pointed to AI-driven variation as part of the threat landscape. "This provides confidence that CyberSense remains current with the latest tactics used by bad actors, including new variants generated by advanced AI methodologies. As a result, our customers can trust that CyberSense data integrity scans will not be circumvented by new and innovative corruption methodologies," he said.

Shadow encryption

The findings also point to wider use of what Index Engines calls shadow encryption. Around 80% of variants analysed used intermittent, partial, or slow encryption methods, according to the research-an increase of 33% from the second quarter of 2025.

These approaches can reduce the obvious spikes in activity that some monitoring tools look for during mass file encryption. They can also stretch an attack over longer periods, complicating incident response and increasing uncertainty about when corruption began.

Directory corruption

Another pattern highlighted in the research is a move toward corrupting directory structures, rather than only modifying individual files. Index Engines described directory-targeting variants as a way to achieve faster corruption and broader disruption across logically grouped datasets.

Directory-level interference can create problems even when file contents remain partly intact. If directory metadata and structures are damaged, organisations may struggle to locate, index, or validate datasets during recovery. The effect can also ripple across applications that rely on predictable paths and permissions.

Wiper behaviour

The research also suggests an increase in ransomware that behaves more like a wiper. Index Engines observed a subtle rise in variants that prioritise destructive data corruption over financial extortion. These attacks may present as ransomware while aiming to cause irreversible damage.

Wiper-style behaviour changes the response calculus for victims. If an attacker's goal is destruction rather than payment, negotiations and decryption promises become less relevant. Recovery then depends heavily on having uncompromised backups and a reliable way to confirm the integrity of restored data.

Lab approach

Index Engines said its CyberSense Research Lab automates the collection, detection, and analysis of emerging ransomware threats. It cited Patent #12248574 and said the work is used to train its machine learning models, which it claims detect signs of ransomware corruption with 99.99% confidence.

The company positions this work as part of a broader focus on data integrity checks during recovery. It frames the issue as more than getting systems back online, emphasising the need to know whether recovered datasets are clean and usable.

CyberSense is supplied through partnerships and integrations with other technology vendors. Index Engines listed availability through Dell Technologies PowerProtect Cyber Recovery, IBM Storage Defender Sentinel, Hitachi Vantara Ransomware Detection Powered by CyberSense, and Infinidat Infinisafe Cyber Detection powered by CyberSense.

"Our research lab exists to stay ahead of how ransomware behaves in the real world," McGann said. "By continuously analyzing how these attacks evolve, we're helping organizations move from reactive recovery to informed, confident decision making when it matters most."

Related stories
Tech Mahindra & Rubrik launch AI cyber recovery service
Equinix names Olivier Leonetti as new Chief Financial Officer
Thrive unveils governed AI workspace & adoption model
Entrust launches cloud cryptographic security platform
Perion debuts Outmax AI agent to optimise TikTok ads

Top stories

NTT DATA unveils global Nvidia-powered AI factories
Tricentis unveils agentic AI Workspace for safer releases
Tricentis unveils AI Workspace for agentic quality testing
Industry drives net-zero push with electrification focus
Qevlar AI raises USD $30m to expand autonomous AI SOC