Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now

Last Seen at

Recent blog posts

post image
Well done, ANY.RUN: Our Top Cybersecurity Awa...
watchers 233
comments 0
post image
How DFIR Analysts Use ANY.RUN Sandbox
watchers 325
comments 0
post image
How to Set up a Windows 11 Malware Sandbox
watchers 1136
comments 0

What is Ransomware?

Ransomware is malware that restricts access to a computer system or its data until a ransom is paid. This can be done in a variety of ways.

For instance, screen locker ransomware blocks access to the system by overlaying the display with a ransom note window, prompting the user to make a payment to get control over the machine back.

However, the primary type of ransomware used by attackers nowadays is crypto-ransomware, which specifically uses encryption to hold data hostage. This means that the attacker scrambles the victim's files using a strong encryption algorithm, making them unreadable without the decryption key that can be obtained only after paying a ransom.

At the same time, some malware may employ fake encryption as a deceptive tactic to instill fear and pressure victims into paying ransoms. For example, STRRAT, a Java-based malware, is known for appending the .crimson extension to victims' files. However, this encryption is merely a superficial disguise, as users can easily restore access to their files by manually removing the added extension.

Certain strains of wiper malware disguise themselves as ransomware, exploiting victims' desperation for data recovery. These malicious programs permanently destroy files while falsely promising decryption upon ransom payment.

Get started today for free

Analyze malware and phishing in a fully-interactive sandbox

Create free account

What is a ransomware attack?

A ransomware attack is the process by which cybercriminals infiltrate a computer system or network and deploy malicious software that encrypts or locks critical data, rendering it inaccessible to the owner.

Ransomware attacks can target individuals, businesses, and organizations of all sizes, causing significant disruption, financial losses, and reputational damage. The attackers often exploit vulnerabilities in software, operating systems, or human behavior.

While attackers often promise to restore the victim’s access to their system once they pay a fee, there is never a guarantee they will do it. In many cases, attackers simply take the money and disappear. On top of that, paying criminals further encourages them to continue carrying out illicit activities.

How does ransomware work?

Although how ransomware works depends on particular malware families, it usually begins with system infiltration through various means, such as phishing emails, malicious links, or software vulnerabilities.

Most frequently, once the ransomware is installed on a victim's device, it will encrypt the victim's files, making them unreadable. The attacker will then display a message, often in the form of a text file or a separate window, demanding a payment to be made in cryptocurrency or other hard-to-trace method of payment.

Analyze malware for free in a fully interactive cloud sandbox – sign up now!

The exact amount of the ransom demand can vary widely. For instance, the WannaCry ransomware requested $300 to be paid within 3 days, when targeting individuals, while organizations that suffered an extensive network infection had to fork out millions of dollars. In their turn, the criminals behind LostTrust require their victims to pay at least $100,000.

Wannacry ransom note A desktop displaying the WannaCry ransom note

Let’s use the LockBit malware family to see how a typical ransomware works:

  • Upon gaining initial access, LockBit typically operates via the command line, accepting file or directory parameters for selective encryption. It can also execute its attack through scheduled tasks or PowerShell Empire.
  • LockBit utilizes tools like Mimikatz to gather additional credentials, expanding its potential impact. To evade detection, it employs different tools to disable security software, while programs, such as Network Scanner enable it to identify Domain Controllers or Active Directory servers for ransomware deployment.
  • The ransomware spreads within the network by self-propagating via SMB connections using acquired credentials. It also exfiltrates data using cloud storage services like MEGA. Afterwards, LockBit encrypts both local and network data using AES and replaces the desktop wallpaper with a ransom note.

LockBit process graph LockBit 1.0 process graph

What does ransomware do to an endpoint device?

Ransomware deals a serious blow to endpoint devices, causing several major detrimental effects:

  • Data Encryption: It encrypts critical files belonging to the user, making them impossible to open. It does by applying an encryption algorithm and changing the extensions of files.
  • System Disruption: It can disrupt normal system operations, causing crashes, performance issues, and data loss.
  • Access Denial: Infected devices may become completely unusable, preventing users from accessing their data or performing essential tasks. Attackers often limit users’ ability to interact with the system to the window with the ransom demands.
  • Data Exfiltration: Ransomware may also steal sensitive data, further compromising privacy and security. In some cases, criminals may publish the information stolen from their victims, especially high-profile organizations, if they refuse to pay. This adds another pressure point and often forces companies to comply with the demands.

What are examples of ransomware families?

In order to track both active and no longer operational ransomware families, use ANY.RUN’s Malware Trends Tracker.

Here are some of the notable examples of ransomware, according to the service:

  • WannaCry: A self-propagating ransomware, exploiting the EternalBlue vulnerability to infiltrate and spread across vulnerable networks. Since its emergence in 2017, this malware has caused billions of dollars in damages and infected over 200,000 computers globally. As of 2023, the ransomware is no longer active.
  • LockBit: A prominent ransomware strain, operating under the Malware-as-a-Service model, which fuels its widespread adoption. According to some estimates, LockBit is responsible for up to 40% of all ransomware attacks. It targets organizations of all sizes, from large corporations like Royal Mail, where a $80 million ransom was demanded, to smaller businesses.
  • LostTrust: LostTrust is a relatively new ransomware strain that emerged in March 2023. It employs a multi-extortion strategy, not only encrypting data on the victim's system but also exfiltrating sensitive files for additional leverage. The perpetrators then publish the stolen data on a dedicated website, showcasing a growing list of compromised organizations.

How does ransomware spread?

Phishing emails serve as the primary weapon of choice for ransomware attackers. These carefully crafted messages, often disguised as legitimate communications from trusted entities like banks or online services, aim to deceive recipients into clicking malicious links or opening infected attachments.

Ransomware can also move laterally, which is to spread across the entire network of computers, once it gains a foothold on one of them. Additionally, many malware families are distributed via file sharing services, where they can be masqueraded as legitimate software.

Alternatively, ransomware can end up on systems through the means of loaders, special malware designs with the sole purpose of distributing other malicious programs.

How to prevent ransomware attack

Ransomware is an extremely widespread type of malware and knowing how to protect from ransomware is essential for every organization valuing its cybersecurity. A comprehensive defense stack against attacks consists of multiple solutions, including the malware sandbox that can be employed in different scenarios.

For instance, infections stemming from phishing emails and websites can be avoided, if a sandbox is first used to analyze them. The ANY.RUN malware sandbox lets you quickly determine whether a file or link poses a threat by uploading it to the service. ANY.RUN produces a detailed report featuring the verdict on the sample’s maliciousness and relevant indicators of compromise (IOCs) that can be used for detection.

WannaCry sample report ANY.RUN report on a WannaCry sample

On top of that, the sandbox is fully interactive, meaning you can engage with malicious files and links in a safe cloud virtual machine like you would on a normal computer.

Try ANY.RUN for free – request a demo!

HAVE A LOOK AT

Mallox screenshot
Mallox
mallox
Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks.
Read More
Virlock screenshot
Virlock
virlock
Virlock is a unique ransomware strain that combines encryption capabilities with file infection techniques. First observed in 2014, it stands out due to its polymorphic nature and ability to embed its code into compromised files, ensuring continued propagation. Once it infects a system, it encrypts files and locks the screen, demanding a ransom for file recovery and system access.
Read More
WannaCry screenshot
WannaCry
wannacry ransomware
WannaCry is a famous Ransomware that utilizes the EternalBlue exploit. This malware is known for infecting at least 200,000 computers worldwide and it continues to be an active and dangerous threat.
Read More
Bluesky Ransomware screenshot
BlueSky ransomware, first identified in June 2022, shares code similarities with other well-known ransomware families like Conti and Babuk. It primarily spreads via phishing emails and malicious links and can propagate through networks using SMB protocols. BlueSky uses advanced evasion techniques, such as hiding its processes from debuggers via the NtSetInformationThread API, making it difficult for analysts to detect and mitigate its attacks.
Read More
Black Basta screenshot
Black Basta
blackbasta
Black Basta is a ransomware-as-a-service operated by Storm-1811. It emerged in 2022 and uses double extortion tactics, encrypting data and stealing it for ransom. The malware often gains access through spear-phishing and uses tools like QakBot and Cobalt Strike. It's known for exploiting system vulnerabilities and using advanced obfuscation techniques.
Read More
Razr screenshot
Razr
razr
Razr is a destructive ransomware that infiltrates systems to encrypt files, rendering them inaccessible to users. It appends the ".razr" extension to the encrypted files and drops a ransom note, typically named "README.txt," instructing victims on how to pay the ransom to obtain the decryption key. The malware often spreads through phishing emails with malicious attachments or by exploiting vulnerabilities in software and operating systems. Razr employs strong encryption algorithms, making it challenging to decrypt files without the attackers' key.
Read More