BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

How to analyze Ransomware with ANY.RUN

Top malware of this type

Trend changes
Tasks overall
  • 2


  • 3


  • 4


  • 5


  • 6


  • 7


  • 8


  • 9


  • 10


  • 11


  • Last Seen at

    Recent blog posts

    post image
    What Are the 3 Types of Threat Intelligence D...
    watchers 149
    comments 0
    post image
    Expert Q&A: Aaron Fillmore on his Cyberse...
    watchers 161
    comments 0
    post image
    Malware Trends Report: Q2, 2024 
    watchers 1630
    comments 0

    What is Ransomware?

    Ransomware is malware that restricts access to a computer system or its data until a ransom is paid. This can be done in a variety of ways.

    For instance, screen locker ransomware blocks access to the system by overlaying the display with a ransom note window, prompting the user to make a payment to get control over the machine back.

    However, the primary type of ransomware used by attackers nowadays is crypto-ransomware, which specifically uses encryption to hold data hostage. This means that the attacker scrambles the victim's files using a strong encryption algorithm, making them unreadable without the decryption key that can be obtained only after paying a ransom.

    At the same time, some malware may employ fake encryption as a deceptive tactic to instill fear and pressure victims into paying ransoms. For example, STRRAT, a Java-based malware, is known for appending the .crimson extension to victims' files. However, this encryption is merely a superficial disguise, as users can easily restore access to their files by manually removing the added extension.

    Certain strains of wiper malware disguise themselves as ransomware, exploiting victims' desperation for data recovery. These malicious programs permanently destroy files while falsely promising decryption upon ransom payment.

    Get started today for free

    Easily analyze emerging malware with ANY.RUN interactive online sandbox

    Register for free

    What is a ransomware attack?

    A ransomware attack is the process by which cybercriminals infiltrate a computer system or network and deploy malicious software that encrypts or locks critical data, rendering it inaccessible to the owner.

    Ransomware attacks can target individuals, businesses, and organizations of all sizes, causing significant disruption, financial losses, and reputational damage. The attackers often exploit vulnerabilities in software, operating systems, or human behavior.

    While attackers often promise to restore the victim’s access to their system once they pay a fee, there is never a guarantee they will do it. In many cases, attackers simply take the money and disappear. On top of that, paying criminals further encourages them to continue carrying out illicit activities.

    How does ransomware work?

    Although how ransomware works depends on particular malware families, it usually begins with system infiltration through various means, such as phishing emails, malicious links, or software vulnerabilities.

    Most frequently, once the ransomware is installed on a victim's device, it will encrypt the victim's files, making them unreadable. The attacker will then display a message, often in the form of a text file or a separate window, demanding a payment to be made in cryptocurrency or other hard-to-trace method of payment.

    Analyze malware for free in a fully interactive cloud sandbox – sign up now!

    The exact amount of the ransom demand can vary widely. For instance, the WannaCry ransomware requested $300 to be paid within 3 days, when targeting individuals, while organizations that suffered an extensive network infection had to fork out millions of dollars. In their turn, the criminals behind LostTrust require their victims to pay at least $100,000.

    Wannacry ransom note A desktop displaying the WannaCry ransom note

    Let’s use the LockBit malware family to see how a typical ransomware works:

    • Upon gaining initial access, LockBit typically operates via the command line, accepting file or directory parameters for selective encryption. It can also execute its attack through scheduled tasks or PowerShell Empire.
    • LockBit utilizes tools like Mimikatz to gather additional credentials, expanding its potential impact. To evade detection, it employs different tools to disable security software, while programs, such as Network Scanner enable it to identify Domain Controllers or Active Directory servers for ransomware deployment.
    • The ransomware spreads within the network by self-propagating via SMB connections using acquired credentials. It also exfiltrates data using cloud storage services like MEGA. Afterwards, LockBit encrypts both local and network data using AES and replaces the desktop wallpaper with a ransom note.

    LockBit process graph LockBit 1.0 process graph

    What does ransomware do to an endpoint device?

    Ransomware deals a serious blow to endpoint devices, causing several major detrimental effects:

    • Data Encryption: It encrypts critical files belonging to the user, making them impossible to open. It does by applying an encryption algorithm and changing the extensions of files.
    • System Disruption: It can disrupt normal system operations, causing crashes, performance issues, and data loss.
    • Access Denial: Infected devices may become completely unusable, preventing users from accessing their data or performing essential tasks. Attackers often limit users’ ability to interact with the system to the window with the ransom demands.
    • Data Exfiltration: Ransomware may also steal sensitive data, further compromising privacy and security. In some cases, criminals may publish the information stolen from their victims, especially high-profile organizations, if they refuse to pay. This adds another pressure point and often forces companies to comply with the demands.

    What are examples of ransomware families?

    In order to track both active and no longer operational ransomware families, use ANY.RUN’s Malware Trends Tracker.

    Here are some of the notable examples of ransomware, according to the service:

    • WannaCry: A self-propagating ransomware, exploiting the EternalBlue vulnerability to infiltrate and spread across vulnerable networks. Since its emergence in 2017, this malware has caused billions of dollars in damages and infected over 200,000 computers globally. As of 2023, the ransomware is no longer active.
    • LockBit: A prominent ransomware strain, operating under the Malware-as-a-Service model, which fuels its widespread adoption. According to some estimates, LockBit is responsible for up to 40% of all ransomware attacks. It targets organizations of all sizes, from large corporations like Royal Mail, where a $80 million ransom was demanded, to smaller businesses.
    • LostTrust: LostTrust is a relatively new ransomware strain that emerged in March 2023. It employs a multi-extortion strategy, not only encrypting data on the victim's system but also exfiltrating sensitive files for additional leverage. The perpetrators then publish the stolen data on a dedicated website, showcasing a growing list of compromised organizations.

    How does ransomware spread?

    Phishing emails serve as the primary weapon of choice for ransomware attackers. These carefully crafted messages, often disguised as legitimate communications from trusted entities like banks or online services, aim to deceive recipients into clicking malicious links or opening infected attachments.

    Ransomware can also move laterally, which is to spread across the entire network of computers, once it gains a foothold on one of them. Additionally, many malware families are distributed via file sharing services, where they can be masqueraded as legitimate software.

    Alternatively, ransomware can end up on systems through the means of loaders, special malware designs with the sole purpose of distributing other malicious programs.

    How to prevent ransomware attack

    Ransomware is an extremely widespread type of malware and knowing how to protect from ransomware is essential for every organization valuing its cybersecurity. A comprehensive defense stack against attacks consists of multiple solutions, including the malware sandbox that can be employed in different scenarios.

    For instance, infections stemming from phishing emails and websites can be avoided, if a sandbox is first used to analyze them. The ANY.RUN malware sandbox lets you quickly determine whether a file or link poses a threat by uploading it to the service. ANY.RUN produces a detailed report featuring the verdict on the sample’s maliciousness and relevant indicators of compromise (IOCs) that can be used for detection.

    WannaCry sample report ANY.RUN report on a WannaCry sample

    On top of that, the sandbox is fully interactive, meaning you can engage with malicious files and links in a safe cloud virtual machine like you would on a normal computer.

    Try ANY.RUN for free – request a demo!


    DarkSide screenshot
    DarkSide ransomware is a novel ransomware strain involved in high-profile incidents. Its attacks lead to data theft and encryption, causing significant damage to victims.
    Read More
    Dharma screenshot
    dharma ransomware
    Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.
    Read More
    GandCrab screenshot
    gandcrab ransomware
    GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.
    Read More
    LockBit screenshot
    LockBit, a ransomware variant, encrypts data on infected machines, demanding a ransom payment for decryption. Used in targeted attacks, It's a significant risk to organizations.
    Read More
    LostTrust screenshot
    LostTrust is a ransomware that has been active since March 2023. It is a multi-extortion malware, meaning that it not only encrypts data on the compromised system and demands a ransom, but also exfiltrates some of the critical files to the attacker. The criminals publish the stolen data on a special website, where dozens of companies are listed as victims of the malware.
    Read More
    Maze screenshot
    maze ransomware
    Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
    Read More

    Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy