Adversaries may intentionally exclude certain files, folders, directories, file types, or system components from encryption or tampering during a ransomware or malicious payload execution. Some file extensions that adversaries may avoid encrypting include .dll, .exe, and .lnk.[1]
Adversaries may perform this behavior to avoid alerting users, to evade detection by security tools and analysts, or, in the case of ransomware, to ensure that the system remains operational enough to deliver the ransom notice.
Exclusions may target files and components whose corruption would cause instability, break core services, or immediately expose the attack. By carefully avoiding these areas, adversaries maintain system responsiveness while minimizing indicators that could trigger alarms or otherwise inhibit achieving their goals.
| ID | Name | Description |
|---|---|---|
| S9038 | DynoWiper |
DynoWiper has recursively enumerated directories with the exception of the following: System32, Windows, Program Files, Program Files(x86), Temp, Recycle.Bin, $Recycle.Bin, Boot, PerfLogs, AppData, Documents and Settings.[2][3] |
| S1247 | Embargo |
Embargo has avoided encrypting specific files and directories by leveraging a regular expression within the ransomware binary.[4] |
| S1245 | InvisibleFerret |
InvisibleFerret has the capability to scan for file names, file extensions, and avoids pre-designated path names and file types.[5][6] |
| S9039 | LazyWiper |
LazyWiper can enumerate the hostname of the system to determine if it is a domain controller and exclude it from being wiped if so.[2] |
| S1244 | Medusa Ransomware |
Medusa Ransomware has avoided specified files, file extensions and folders to ensure successful execution of the payload and continued operations of the impacted device.[1][7][8] |
| S9030 | SameCoin |
SameCoin can avoid overwriting file names that contain "desktop.ini" and "conf.conf." [9] |
| G1055 | VOID MANTICORE |
VOID MANTICORE has avoided interacting with specific directories in order to reduce the likelihood of detection.[10] |
This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0897 | Detection of Selective Exclusion | AN2030 |
A process with no prior history or outside of known whitelisted tools initiates file or registry modifications to configure exclusion rules for antivirus, backup, or file-handling systems. Or a file system enumeration for specific file names andcritical extensions like .dll, .exe, .sys, or specific directories such as 'Program Files' or security tool paths or system component discovery for the exclusion of the files or components. |