Blog
How Ransomware Works and How to Prevent It
Kirsten Gantenbein
November 11, 2020
Ransomware can strike any industry, from logistics and media companies to non-profit organizations and governments. Even hospitals are targets for ransomware, holding data and lives hostage.
Ransomware can cause irreparable damage. Understanding how it works and how to detect it can help prevent attacks.
How Does Ransomware Work?
Ransomware is a type of malware that locks files on a victim machine, making data inaccessible. A ransom note appears on the victim's computer with instructions for paying the attacker (usually in a cryptocurrency such as Bitcoin) to unlock the files.
A ransomware attack can originate from a malicious link, email attachment, exploited vulnerability, attack campaign, or worm. After ransomware malware is installed on the victim's machine, the malware often spreads to other devices on a network and connects to a command-and-control (C&C) server controlled by the attacker. The ransomware then waits for a command (such as "encrypt files") from the attacker.
Typically, ransomware locks files with asymmetric encryption, which is a strong cryptographic method that requires two keys (a private key and public key) to encrypt and decrypt data. The attacker controls a private key, and sends a public key to the victim's computer. The ransomware begins encrypting data based on information in the public key. Ransomware usually encrypts non-critical data based on file extensions (such as .txt, .jpg, .xls, or .doc) to make sure that the victim computer functions well enough for the victim to pay the ransom.
After data encryption begins, the encryption process can quickly spread throughout the network and across file shares. The only way to decrypt the data is to receive the private key from the attacker, after paying a ransom.
A general workflow for most types of ransomware.
Examples of Ransomware Variants
Encrypting malware and the extortion activities associated with it have been around for decades. But the type of malware known as ransomware first appeared in 2012. Many variations of ransomware have since emerged, helping attackers evade anti-virus software and network defenses. Let's compare notable ransomware variants to learn how ransomware generally infects computers and encrypts files.
CryptoLocker
CryptoLocker appeared in September 2013, making it one of the earliest examples of ransomware. CryptoLocker was a trojan virus that spread through a botnet and malicious email attachments claiming to be FedEx and UPS tracking notifications. Files on the local hard drive and mounted file shares were encrypted with RSA algorithms. CryptoLocker was stopped in 2014 when the private keys were captured by law enforcement and a decryption tool was released.
CryptoWall
CryptoWall emerged in 2014 and is still seen today. Attackers distribute CryptoWall malware to victims through exploit kits, phishing emails, or malicious links within ads. CryptoWall injects code into explorer.exe, infecting system processes on Windows machines. After the code is run, user information is encrypted and sent to the C&C server to generate a unique public key. Files on the local hard drive and mounted file shares are encrypted with the public key and an algorithm (such as RSA-2048 or AES-256). CryptoWall 3.0 from 2015 has been the most lucrative version for attackers.
Locky
Locky emerged in 2016 and is mainly distributed to victims through an emailed malicious Microsoft Word attachment. The Word document includes a malicious macro that, once enabled, downloads a trojan virus with the encryption malware. Keys are generated on the C&C server, and files on the local hard drive and mounted file shares are encrypted with RSA-2048 and AES-128 algorithms.
WannaCry
WannaCry ransomware variants appeared in May 2017 during an infamous global attack. WannaCry spread as a worm (meaning no user interaction was required to install and spread malware to other devices) by leveraging EternalBlue. EternalBlue is an exploit of a vulnerability in legacy versions of the SMB file-sharing protocol (MS17-010). WannaCry leveraged the DoublePulsar tool to install a backdoor on the victim's computer to manage communication with a C&C server. WannaCry was stopped after the discovery of a "kill switch" in the malware.
Petya and NotPetya
Petya (also referred to as GoldenEye) malware appeared in 2016 and was distributed as email attachments. Unlike most ransomware, Petya often encrypted local system files that prevented victims from accessing their machines. Another variant, referred to as NotPetya, appeared shortly after WannaCry in June 2017. This variant spread as a worm through the same EternalBlue exploit seen in the WannaCry attack and encrypted the master boot record on Windows machines. NotPetya did not provide an option for decrypting files and caused billions of dollars in damage across the globe.
Ryuk
Ryuk ransomware appeared in 2018 and initially targeted large enterprises. In 2020, Ryuk ransomware was linked to hundreds of U.S. hospital and healthcare targets. Ryuk is typically delivered through a Trojan virus called Trickbot, which is known to install a backdoor (anchor_dns) on the victim machine. This backdoor manages encrypted communication with a C&C server through DNS tunneling. To spread across the network, the malware leverages a variety of tools and protocols, including Mimikatz, PowerShell, and Remote Desktop Protocol (RDP). Ryuk encrypts files with a combination of symmetric (AES) and asymmetric (RSA) encryption. Files are encrypted with AES-256 and the AES key is encrypted with an RSA public key. The encrypted key is embedded into the executable file sent to the victim. To evade detection, malware components—the executable file and C&C server domains—are unique to each victim.
How to Detect Ransomware
Detection methods can include log, process, and network traffic monitoring. One approach is to monitor logs and processes for binary files involved in data destruction, such as vssadmin, wbadmin, and bcdedit. Ransomware typically destroys shadow copies of data to prevent data recovery efforts that don't involve paying the ransom.
ExtraHop Reveal(x) automatically detects unusually large volumes of file modifications performed over file-sharing protocols such as SMB, as well as the presence of abnormal file extensions and ransom notes.
Ransomware malware typically scans files and then encrypts them. This behavior appears as distinct file reads and writes.
Specific variants can also be identified by file names or extensions appended to encrypted files. For example, the Brrr variant of Dharma ransomware adds the file extension .brrr to encrypted files. These ransomware extensions identify which files are encrypted and no longer accessible, persuading the victim to pay the ransom.
Encrypted files with a ransomware file extension.
Network defenders can also leverage threat intelligence, which identifies suspicious IP addresses, hostnames, and URIs associated with threat groups. Threat intelligence data can be found in free and commercial sources provided by the security community. ExtraHop Reveal(x) includes curated threat collections, which are continuously updated to cover new ransomware variants. C&C domains associated with ransomware can be automatically detected by Reveal(x) in HTTP and DNS traffic.
How to Prevent Ransomware Attacks
One way to avoid the damage inflicted by ransomware is to maintain off-site backup files that can restore critical systems. Periodically test these backup files to make sure they are working and updated.
To reduce the number of ransomware attack vectors, disable internet access for internal services, especially services that run over file-sharing or remote access protocols such as RDP. For services that must connect to the internet, monitor incoming connections with a firewall or gateway that scans traffic for malicious content. Another strategy for preventing the spread of ransomware is to segment networks and create policies that limit the device interactions to a sub-network. Finally, make sure that servers are routinely updated and patched to reduce the number of vulnerabilities that an attacker can exploit.
Quick Links:
Discover more