Why Ransomware Works: Tactics and Routines Beyond Encryption

Share this…

How do companies regardless of size and industry prepare for ransomware attacks? A recent study revealed that businesses are considering saving up Bitcoins, just in case they get hit by these threats and can recover their confidential files in a short span of time.  While we don’t recommend succumbing to the ransom payment as it doesn’t guarantee that you’ll get your files back plus you’ll be prone to more ransomware attacks, we can’t also blame these large organizations and businesses for doing so. Ransomware attacks can disrupt business operationsand productivity and can be damaging to company reputation. Together, these factors may also amount to additional losses apart from the payment of decryption tools.

Why ransomware remains persistent

To avoid becoming one of the ransomware victims, it’s good to understand how and why it works.  Of course, social engineering baits and the use of commercial-grade encryption play a crucial role in the success of ransomware attacks. But more than that, the current spate of ransomware also employ other malware routines that, while not entirely technically sophisticated by themselves, can wreak greater havoc when combined together and may cause a lot of time, effort, and headache for IT personnel who attempt to troubleshoot the issue.

Imagine company X receiving the news that their files, including their crown jewels may be possibly encrypted and held hostage until they provide the ransom payment. The IT administrator/staff does the necessary steps of disconnecting and isolating the infected system from the network.  He then tries to clean up the infected computer and restore the files but he encounters several challenges.

For instance, one of the more common methods ransomware families use is to delete shadow copies. They do this by executing any of the following commands:

vssadmin.exe Delete Shadows/All/Quiet

WMIC.exe shadowcopy delete/nointeractive

By deleting shadow copies, it removes backup copies of the files which could hinder you from recovering files. Do note that Windows 7 and 8 OSes have added delete shadow copies feature; however in Windows 8 the UI is not visible. Variants like CRYPWALL, Locky, CERBER, andCRYPTESLA, among others use this technique.

Other routines can be roughly categorized into the following: startup modification, propagation, and anti-AV mechanism:

Startup modification

Overwriting or wiping the Master Boot Record (MBR) can render the system unbootable. Such capability can add another layer of difficulty when restoring the system in safe mode.  PETYA is one particular variant that has this capability. On the other hand, MATSNU executes backdoor commands to wipe MBR as well as to lock screen.

Propagation tactics

It’s already difficult to restore files in one system due to the encryption algorithm used by ransomware. More so, when these threats can spread via removable drives and network shares where other crucial data can be possibly encrypted. One ransomware dubbed as Zcryptor(ZCRYPT crypto-ransomware) spreads via removable drives, including the network shares.

Anti-detection mechanism

Watchdog process is usually used to respawn a new instance of the malware. It does this by copying the legitimate regsvr32.exe or rundll32.exe named as svchost.exe. While one process is running to do encryption, another process functions as a watchdog.  Another technique employed by ransomware threats to avoid easy detection is checking if it’s running on VMWare environment.


Figure 1. Process tree of CryptXXX infection, including watchdog process

VIRLOCK deviated from other ransomware threats via its use of polymorphic encryption wherein the encryption key differs in every infection. It may also insert random garbage code and API calls on the infected files as shown below. These 2 characteristics are employed to make file-based detection more difficult and avoid easy emulation. It also uses several layers of encryption as anti-detection and anti-analysis techniques.


Figure 2. Code snippet of VIRLOCK’s anti-detection mechanism

Other techniques

Another notable technique that contributed to the persistence of threat is checking of network or Server Message Block (SMB) shares connected to the infected system. An example of which is CryptoFortress, which appeared last year. CRYPWALL versions 3 and 4 also can enumerate all drives and if they are mapped, the files can also be encrypted.

Some variants also abuse legitimate services like Windows PowerShell feature in the case ofPowerWare and POSHCODER. Other significant routines include Domain Generation Algorithm (DGA) for the C&C server connection as first observed in CryptoLocker.  Threats like CryptXXX also steals information, thus attackers can earn more money by peddling this in the underground market.

IT administrators would also find it arduous to contain ransomware infection if attackers use vulnerabilities to spread the threat. We spotted this in SAMSAM wherein the attacker leveraged Jexboss exploit to penetrate the network via vulnerable servers and propagate this ransomware. Furthermore, infecting document and media files can also make cleanup difficult; an example of which is VIRLOCK.

A  multi-layered defense

Due to the inconvenience, difficulty in retrieving files back, and the potential damages, some organizations choose to pay.  The danger with paying is that you may potentially get more ransomware-related spam emails since you are a proven paying customer. When your files get encrypted, attackers typically assign an ID for the specific decryption page.  And they have a way of tracking the email address of those who click or open the attachment.

Understanding ransomware can help enterprises secure their environment.  Backing up files is highly recommended but this not a  foolproof/sole solution since there are variants that can also encrypt backups. What enterprises and small businesses need is multi-layered defense that can secure their environments from endpoints to networks and servers.

Trend Micro secures organizations against the risks that ransomware pose via its layers of protection. Our strong endpoint solution, Trend Micro Smart Protection Suites can prevent the execution of the malicious routines and activities we highlighted in this entry via our behavior monitoring, application control, and vulnerability shielding. Our Anti-Ransomware feature can proactively detect & block ransomware execution. As such, no files can be encrypted; and the threat won’t spread in other systems in the network or reach servers.

But more than protecting your endpoints, it is best to stop ransomware at the exposure level—web and email. Based on our recent sampling, more than 96% of most ransomware can be stopped at email and web levels. Enterprises can rely on Trend Micro™ Deep Discovery™ Email Inspector to block and detect ransomware-related emails, including malicious attachments. Its custom sandbox technology can detect ransomware variants that also leverage macros. Our IP and web reputation included in this solution can also mitigate the risks of ransomware at the email and web levels.

For network protection, our Trend Micro Deep Discovery Inspector can detect and block ransomware on networks through its malware sandbox and network scanning features. Moreover, any lateral movement to reach other parts of the network can also be prevented through our product.

Since ransomware like SAMSAM introduces risks to your servers, our Trend Micro Deep Security™ and its vulnerability shielding can stop this or any similar ransomware from reaching enterprise servers–whether physical, virtual or in the cloud.

For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order to detect and block ransomware.

For home users, Trend Micro Security 10 provides robust protection against ransomware, by blocking malicious websites, emails, and files associated with this threat.

Users can also use our free tools such as the Trend Micro Lock Screen Ransomware Tool, which is designed to detect and remove screen-locker ransomware; as well as Trend Micro Crypto-Ransomware File Decryptor Tool, which can decrypt certain variants of crypto-ransomware without paying for the use of the decryption key.