Anatomy of a Ransomware Attack

By now, we have realized how lucrative the ransomware business has become for criminals. This is due in part to the success of common ransomware such as Locky or Cryptolocker. It is estimated that Cryptolocker generated 3 million dollars even though only 3 percent of the victims paid the ransom… Read More

By now, we have realized how lucrative the ransomware business has become for criminals. This is due in part to the success of common ransomware such as Locky or Cryptolocker. It is estimated that Cryptolocker generated 3 million dollars even though only 3 percent of the victims paid the ransom [1]. Not only has this amount triggered the interest of criminals, but it also reveals the magnitude of the problem that is ransomware. When one click has the power to shut down the operations of an organization, it is important to stay protected.

Ransomware is a piece of malware designed to block access to a system or the information stored on it until a sum of money is paid. Essentially, instead of stealing your information and selling it to an unknown party for pennies, the ransomware authors are holding your data hostage, forcing the typical person to pay an average of $400 and small businesses $7,500 to get data back [2].

With new ransomware strains being discovered every day, it is important to understand the common patterns so you can determine how your current defenses hold up. If you have an understanding of the main patterns of ransomware, when new strains surface, you will have a better chance of minimizing the impact to your organization. Here are ten common patterns we have documented while investigating and researching the techniques of over 250 variants of ransomware:

Top 10 Common Patterns

# Pattern Description
1 Infection Vector Email Spam Campaigns
2 Encryption Algorithm AES-256 and RSA
3 Ransom Demand $300-$600
4 Time Limit Persuasion Method Price will double after 72 hours if not paid
5 Payment option Victims will be required to purchase bitcoin and pay through the Tor network.
6 Prevent recovery Delete shadow volume copies and restore points
7 Private key storage Remote C2 Server
8 Miscellaneous Persuasion Method Allow a victim to decrypt one file to prove that file recovery is possible.
9 Most common persistence method Through registry
10 Most common registry change Disabling Task manager / Gaining Persistence.

Pattern #1: Infection Vector

While most ransomware is spread through email, what it contains is often very different. The email could appear from a variety of places, most commonly a shipping company, a bank statement, or a resume from a “potential employee”. The from address associated with the email indicates what type of targets the ransomware authors are looking to infect.

There are two main types of attachments. The most common is a word document with malicious macros attached. These documents, when opened, will coax the reader into enabling macros by telling the user that if the document is not being displayed correctly (which it won’t) they need to enable macros. The second type of attachment is an executable file disguised as a pdf. This attachment takes advantage of the default windows configuration to not display the last extension. Therefore, at first glance, a user would see invoice.pdf when, in fact, the file’s full name is invoice.pdf.exe. Additionally, the executable would have a pdf icon.

Pattern #2: Encryption Algorithm

Most ransomware use RSA cryptosystems coupled with the AES-256 encryption algorithm. RSA is a public key system where the encryption key is public and differs from the decryption key, which is often held on a C2 server.

AES-256 is an encryption algorithm based on a key, in this case, the RSA key. In 2003 the U.S. Government approved AES for the encryption of classified data as it is infeasible to break the encryption with the current technology. [3]

Pattern #3: Ransom Demand

Ransom demand is often dependent upon what type of target the ransomware is designed for. If the criminals are sending emails designed for small businesses, the ransom demands are often higher. The ransom demand appears to be completely dependent on the ransomware authors. Some ransomware aim for quantity over quality and only charge $40 for decryption, whereas the 7ev3n ransomware charges 13 bitcoin (~$8000).

Pattern #4: Time Limit Persuasion

In order to view profits without having to wait too long, ransomware authors often use some type of time limit. For example, a ransom demand may double in price every 72 hours. Or a more aggressive approach, your files will become permanently encrypted in 7 days. Another aggressive kind of ransomware will delete files every hour until the ransom is paid.

These time limits not only allow for relatively instant turnover but also prevents the victim from being able to fully process what has just occurred. When a victim is infected, they may be in a worst case scenario panic state. This is intentional as it will dissuade them from looking for alternate solutions or contracting a security researcher to attempt to crack the ransomware.

Pattern #5: Payment Options

After convincing the victim to pay money, ransomware authors will most commonly instruct the victim on how to purchase Bitcoin as well as how to use the Tor network in order to pay. The attackers use both of these in order to remain anonymous. If they do not use browser-based payment, the ransomware authors will give victims an email address to ask about more information. This type of communication is much more common with offline ransomware.

After payment, most online ransomware will connect to the C2 server, discover that the ransom was paid, and will begin decrypting automatically. Offline ransomware will often send the victim a decryption key via email. This key is then input into the program in order to begin decryption.

Pattern #6: Prevent Recovery

When infected by ransomware, shadow volume copies are often deleted in order to prevent an easy recovery process. There are a couple ways ransomware accomplish this but the most common one is to use vssadmin.exe which is a tool in windows that allows an administrator to manage Shadow Volume Copies.

In order to protect your restore points, the easiest method is to rename the vssadmin.exe. [4] Therefore, when the ransomware runs a command, it will not be able to find the binary. By renaming it, you will also give yourself the option of reverting the changes if the need ever arises.

Pattern #7: Private Key Storage

The most secure way for a ransomware to store its private keys is on a C2 server. However, some ransomware are designed to work offline in order to infect more computers. These ransomware must store the private key somewhere in memory and if stored insecurely a security researcher is often able to create a decryption tool.

There are a couple ransomware strains that are beginning to create a private/public key for each file instead of each system. They are able to achieve this by adding the encrypted private key at the end of the file’s byte stream. Therefore, when decrypting, the ransomware will look at the last bytes to determine the correct decryption key.

Pattern #8: Miscellaneous Persuasion Method

Ransomware do many different things to attempt to persuade a victim to pay the ransom, but the most common non time-based method is allowing a person 1 sample decryption. This helps convince a user that their computer will go back to normal if the ransom is paid.

However, this feature can be a gamble for the criminals as well. If a victim of ransomware had an expensive wallet.dat (bitcoin wallet) that was encrypted, he/she would most definitely pay the ransom in order to gain the currency back. It is not uncommon for users to have a single file that is worth more than the rest of them combined. This feature would allow these type of victim to recover their valuable file and leave the rest.

Pattern #9: Most Common Persistence Method

The most common persistence method for ransomware is to create Run and RunOnce registry keys. Some ransomware also add an asterisk in front of the key causing it to also run in Safe Mode. The second most common method is to copy the malware into the %UserProfile%/Start Menu\Programs\Startup.

Unfortunately, due to the nature of ransomware, preventing persistence of the ransomware will not help decrypt your files. However, depending on the ransomware, it could prevent the deletion of files or the encryption of new files.

Pattern #10: Most Common Registry Changes

Apart from persistence, ransomware may make other changes to limit a victim’s access to their computer. The most common change is the disabling of the Task Manager in the registry. Most likely this is to prevent the stopping of the encryption process when the ransomware is first installed, especially if the ransomware uses a particularly slow algorithm.

The second, less common change is the disabling of internet browsers. In order to prevent research, some ransomware limit the sites a victim can navigate to, especially security sites.


These ten common patterns should allow insight into the evolution and development of modern ransomware. Ransomware will not disappear any time in the near future so it is important to stay updated and educated.

We are not defenseless against ransomware. As mentioned above, the most common delivery method is email spam campaigns, so it is important to implement email defense software. Additionally, educate employees on ransomware by teaching them how to spot suspicious activity and then test them by sending your own fake emails. There is only one true way to defend against ransomware and that is by protecting all of your data inside backups. This should allow for quick rollbacks and enable employees to have minimum downtime when infected with ransomware.

If you are infected with ransomware and have no means of restoration, would you pay the ransom? If your small business data has been encrypted, the FBI says, “To be honest, we often advise people to just pay the ransom” [5]. If a ransomware is that good, you may have no other choice. However, there are some things that we need to keep in mind when deciding whether or not to pay the ransom. First, 19% of all businesses who paid the ransom did not get their files decrypted. Therefore, depending on the ransom, you could have potentially paid upwards of $5,000 dollars for no reason [6]. Not only that, but when a ransom is paid, you are directly supporting the authors in the same way a company is supported when you buy their product. By paying a ransom, you are promoting the spread of ransomware.

Imagine yourself in a situation where a viral ransomware spread throughout your entire infrastructure. As time progresses, this next-gen ransomware will leak critical company information as well as increase the price from its initial $10,000. In order to prevent a situation such as this, ensure that your antivirus solution detects most if not all variants of ransomware.

Be a proactive defender and know the patterns. Only then can can you validate your own security detection and prevention capabilities before being truly impacted by ransomware. Find out more here.