Index Engines: Ransomware Shifting To Polymorphism & Wiper Attacks

Cyber resilience solutions provider Index Engines has released a new study from its CyberSense Research Lab, finding that threat actors are increasingly using polymorphism, shadow encryption, and directory corruption in their attacks.

Four ransomware developments observed in Q4 2025

According to the company, these techniques were used specifically to bypass traditional defenses, increase dwell time, and complicate both investigation and recovery efforts.

“We learned early on that the only way to stay current with emerging ransomware variants is to build a lab that analyzes them daily,” Index Engines CMO Jim McGann said. 

“This provides confidence that CyberSense remains current with the latest tactics used by bad actors, including new variants generated by advanced AI methodologies. As a result, our customers can trust that CyberSense data integrity scans will not be circumvented by new and innovative corruption methodologies.”

CyberSense Research Lab finds high prevalence of polymorphic ransomware and more

The CyberSense Research Lab automates the collection, detection, and analysis of emerging ransomware threats to continuously train its CyberSense MLMs, which the company says detect signs of ransomware-related corruption with 99.99% confidence and facilitate a clean recovery for thousands of organizations worldwide. 

Below is a closer look at the four ransomware behaviors the lab observed during Q4 2025:

• High prevalence of polymorphic ransomware: Nearly 90 percent of samples analyzed exhibited polymorphic behaviors, including variants that replace legitimate files with executable content. These approaches can extend the investigation and recovery process and increase the risk of reinfection.
• Widespread adoption of shadow encryption techniques: Approximately 80 percent of ransomware variants analyzed employed intermittent, partial, or slow encryption methods, up 33 percent from Q2 2025. These techniques are designed to avoid traditional detection while quietly corrupting data over time.
• Emergence of directory-structure corruption: New variants target directory structures rather than individual files to speed up corruption and maximize business disruption. By impacting large, logically grouped data sets at once, these attacks complicate investigation efforts.
• Emergence of wiper-style ransomware: The research lab observed a subtle rise in ransomware variants that prioritize destructive data corruption over financial extortion. These present as ransomware but behave like wipers, aiming to cause irreversible corruption.

Moving away from reactive recovery

In an official press release, the company emphasized that its research lab continuously updates its models as new ransomware variants emerge.

“Our research lab exists to stay ahead of how ransomware behaves in the real world,” McGann added. 

“By continuously analyzing how these attacks evolve, we’re helping organizations move from reactive recovery to informed, confident decision making when it matters most.”

Last year, we spoke with Index Engines CRO Neil DiMartinis about their patented AI-driven process designed to strengthen recovery from ransomware attacks. Learn more about their AI solution and how it reinforces their role in advancing cyber resilience.