Fact: A ransomware attack can originate from a malicious link, email attachment, exploited vulnerability, attack campaign, or worm. Protect your organization with security that can't be undermined or outsmarted. Credit: iStock Ransomware can strike any industry, from logistics and media companies to non-profit organizations and governments. Even hospitals are targets for ransomware, holding data and lives hostage.Ransomware can cause irreparable damage. Understanding how it works and how to detect it can help prevent attacks.How Does Ransomware Work?Ransomware is a type of malware that locks files on a victim machine, making data inaccessible. A ransom note appears on the victim’s computer with instructions for paying the attacker (usually in a cryptocurrency such as Bitcoin) to unlock the files.A ransomware attack can originate from a malicious link, email attachment, exploited vulnerability, attack campaign, or worm. After ransomware malware is installed on the victim’s machine, the malware often spreads to other devices on a network and connects to a command-and-control (C&C) server controlled by the attacker. The ransomware then waits for a command (such as “encrypt files”) from the attacker.Typically, ransomware locks files with asymmetric encryption, which is a strong cryptographic method that requires two keys (a private key and public key) to encrypt and decrypt data. The attacker controls a private key and sends a public key to the victim’s computer. The ransomware begins encrypting data based on information in the public key. Ransomware usually encrypts non-critical data based on file extensions (such as .txt, .jpg, .xls, or .doc) to make sure that the victim computer functions well enough for the victim to pay the ransom.After data encryption begins, the encryption process can quickly spread throughout the network and across file shares. The only way to decrypt the data is to receive the private key from the attacker, after paying a ransom. ExtraHopA general workflow for most types of ransomware.Examples of Ransomware VariantsEncrypting malware and the extortion activities associated with it have been around for decades. But the type of malware known as ransomware first appeared in 2012. Many variations of ransomware have since emerged, helping attackers evade anti-virus software and network defenses. Let’s compare notable ransomware variants to learn how ransomware generally infects computers and encrypts files.CryptoLockerCryptoLocker appeared in September 2013, making it one of the earliest examples of ransomware. CryptoLocker was a trojan virus that spread through a botnet and malicious email attachments claiming to be FedEx and UPS tracking notifications. Files on the local hard drive and mounted file shares were encrypted with RSA algorithms. CryptoLocker was stopped in 2014 when the private keys were captured by law enforcement and a decryption tool was released.CryptoWallCryptoWall emerged in 2014 and is still seen today. Attackers distribute CryptoWall malware to victims through exploit kits, phishing emails, or malicious links within ads. CryptoWall injects code into explorer.exe, infecting system processes on Windows machines. After the code is run, user information is encrypted and sent to the C&C server to generate a unique public key. Files on the local hard drive and mounted file shares are encrypted with the public key and an algorithm (such as RSA-2048 or AES-256). CryptoWall 3.0 from 2015 has been the most lucrative version for attackers.LockyLocky emerged in 2016 and is mainly distributed to victims through an emailed malicious Microsoft Word attachment. The Word document includes a malicious macro that, once enabled, downloads a trojan virus with the encryption malware. Keys are generated on the C&C server, and files on the local hard drive and mounted file shares are encrypted with RSA-2048 and AES-128 algorithms.WannaCryWannaCry ransomware variants appeared in May 2017 during an infamous global attack. WannaCry spread as a worm (meaning no user interaction was required to install and spread malware to other devices) by leveraging EternalBlue. EternalBlue is an exploit of a vulnerability in legacy versions of the SMB file-sharing protocol (MS17-010). WannaCry leveraged the DoublePulsar tool to install a backdoor on the victim’s computer to manage communication with a C&C server. WannaCry was stopped after the discovery of a “kill switch” in the malware.Petya and NotPetyaPetya (also referred to as GoldenEye) malware appeared in 2016 and was distributed as email attachments. Unlike most ransomware, Petya often encrypted local system files that prevented victims from accessing their machines. Another variant, referred to as NotPetya, appeared shortly after WannaCry in June 2017. This variant spread as a worm through the same EternalBlue exploit seen in the WannaCry attack and encrypted the master boot record on Windows machines. NotPetya did not provide an option for decrypting files and caused billions of dollars in damage across the globe.RyukRyuk ransomware appeared in 2018 and initially targeted large enterprises. In 2020, Ryuk ransomware was linked to hundreds of U.S. hospital and healthcare targets. Ryuk is typically delivered through a Trojan virus called Trickbot, which is known to install a backdoor (anchor_dns) on the victim machine. This backdoor manages encrypted communication with a C&C server through DNS tunneling. To spread across the network, the malware leverages a variety of tools and protocols, including Mimikatz, PowerShell, and Remote Desktop Protocol (RDP). Ryuk encrypts files with a combination of symmetric (AES) and asymmetric (RSA) encryption. Files are encrypted with AES-256 and the AES key is encrypted with an RSA public key. The encrypted key is embedded into the executable file sent to the victim. To evade detection, malware components—the executable file and C&C server domains—are unique to each victim.How to Detect RansomwareDetection methods can include log, process, and network traffic monitoring. One approach is to monitor logs and processes for binary files involved in data destruction, such as vssadmin, wbadmin, and bcdedit. Ransomware typically destroys shadow copies of data to prevent data recovery efforts that don’t involve paying the ransom.ExtraHop Reveal(x) automatically detects unusually large volumes of file modifications performed over file-sharing protocols such as SMB, as well as the presence of abnormal file extensions and ransom notes. ExtraHopRansomware malware typically scans files and then encrypts them.This behavior appears as distinct file reads and writes.Specific variants can also be identified by file names or extensions appended to encrypted files. For example, the Brrr variant of Dharma ransomware adds the file extension .brrr to encrypted files. These ransomware extensions identify which files are encrypted and no longer accessible, persuading the victim to pay the ransom. ExtraHopEncrypted files with a ransomware file extension.Network defenders can also leverage threat intelligence, which identifies suspicious IP addresses, hostnames, and URIs associated with threat groups. Threat intelligence data can be found in free and commercial sources provided by the security community. ExtraHop Reveal(x) includes curated threat collections, which are continuously updated to cover new ransomware variants. C&C domains associated with ransomware can be automatically detected by Reveal(x) in HTTP and DNS traffic.How to Prevent Ransomware AttacksOne way to avoid the damage inflicted by ransomware is to maintain off-site backup files that can restore critical systems. Periodically test these backup files to make sure they are working and updated.To reduce the number of ransomware attack vectors, disable internet access for internal services, especially services that run over file-sharing or remote access protocols such as RDP. For services that must connect to the internet, monitor incoming connections with a firewall or gateway that scans traffic for malicious content.Another strategy for preventing the spread of ransomware is to segment networks and create policies that limit the device interactions to a sub-network.Finally, make sure that servers are routinely updated and patched to reduce the number of vulnerabilities that an attacker can exploit.To learn more, visit us here. Related content brandpost Sponsored by ExtraHop Five Blind Spots That Leave You Open to Supply Chain Vulnerabilities It’s estimated by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chain. Is your organization prepared? By Chase Snyder Jun 13, 2022 14 mins Data and Information Security IT Leadership brandpost Sponsored by ExtraHop Assessing Network Analysis and Visibility Solutions for Zero Trust Gaining a better understanding of NAV product capabilities can jumpstart workflows and add value on the essential path to Zero Trust. By Kelsey Milligan Jun 13, 2022 5 mins Data and Information Security IT Leadership brandpost Sponsored by ExtraHop Beating Ransomware in the Midgame: Detection Best Practices in 2022 Ransomware varies in the type of encryption used, the scale of data encrypted, and their capacity to spread between computers. It has become increasingly sophisticated, with more advanced encryption, new vectors for infection, and the ability to leve By Jesse Munos Apr 14, 2022 7 mins Ransomware IT Leadership brandpost Sponsored by ExtraHop Detect and Stop Spring4Shell Exploitation On March 29, 2022, ExtraHop's Threat Research team noticed social media chatter regarding a new remote code execution (RCE) vulnerability in the Spring Core Framework and began tracking the issue. Read on to uncover their findings, and safeguard By Jeff Costlow Apr 14, 2022 4 mins Threat and Vulnerability Management IT Leadership PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe