New Research from Index Engines Shows Ransomware Continues Shift Towards Polymorphism, Shadow Encryption, and Wiper-Style Attacks

Index Engines, an active player in cyber resilience, shared the latest ransomware trends from its CyberSense Research Lab, which reveals threat actors continue to advance their approaches with more sophisticated variants.

The research showed continued, growing use of polymorphism, shadow encryption, and directory corruption – techniques engineered to bypass traditional defenses, prolong dwell time, and significantly complicate investigation and recovery efforts.

“We learned early on that the only way to stay current with emerging ransomware variants is to build a lab that analyzes them daily,” said Jim McGann, CMO, Index Engines. “This provides confidence that CyberSense remains current with the latest tactics used by bad actors, including new variants generated by advanced AI methodologies. As a result, our customers can trust that CyberSense data integrity scans will not be circumvented by new and innovative corruption methodologies.”

The CyberSense Research Lab (Patent #12248574) automates the collection, detection, and analysis of emerging ransomware threats to continuously train its CyberSense MLMs, which detect signs of ransomware corruption with 99.99% confidence and facilitate a clean recovery for thousands of organizations worldwide.

Through this ongoing research, the company identified four notable developments in ransomware behavior during the fourth quarter of 2025:

High prevalence of polymorphic ransomware: Nearly 90% of samples analyzed exhibited polymorphic behaviors, including variants that replace legitimate files with executable content. These approaches can extend the investigation and recovery process and increase the risk of reinfection
Widespread adoption of shadow encryption techniques: Approximately 80% of ransomware variants analyzed employed intermittent, partial, or slow encryption methods, up 33% from Q2 2025. These techniques are designed to avoid traditional detection mechanisms while quietly corrupting data over time
Emergence of directory structure corruption: New variants target directory structures rather than individual files to speed up corruption and maximize business disruption. By impacting large, logically grouped data sets at once, these attacks complicate investigation and recovery efforts
Emergence of wiper-style ransomware: The research lab observed a subtle rise in ransomware variants that prioritize destructive data corruption over financial extortion. These attacks present as ransomware but behave like wipers, aiming to cause irreversible corruption

CyberSense is trained on these emerging approaches and continually updates ML models to maintain currency with new variants as they are launched.

CyberSense is delivered through strategic partnerships with leading technology vendors and as is available as part of Dell Technologies PowerProtect Cyber Recovery, IBM Storage Defender Sentinel, Hitachi Vantara Ransomware Detection Powered by CyberSense, and Infinidat Infinisafe Cyber Detection powered by CyberSense.

“Our research lab exists to stay ahead of how ransomware behaves in the real world,” said McGann. “By continuously analyzing how these attacks evolve, we’re helping organizations move from reactive recovery to informed, confident decision making when it matters most.”