This article describes how a ransomware attack typically works. It details the sections of a network that ransomware strikes and how appropriate measures on different security layers can help reduce the risk.
The following sections are covered:
Ransomware oftentimes called CryptoLocker, CryptoDefense or CryptoWall, is one of the most widespread and damaging threats that internet users face today. It is a family of malware that takes files on a PC or network storage, encrypts them and then extorts money to unlock the files.
The first stage of a ransomware attack is to get to your machine and execute its files. Once the executable files are run either by a user or another malicious file, it connects to the criminal's Command and Control (C&C) server and sends information about the host machine. This connection is known as call home or C2 traffic and normally uses the standard port 80 and HTTP or port 443 and HTTPS protocols.
The information sent is usually operating system details, IP addresses, geographical location and access permissions of the account that executed the ransomware. Criminals can also use this information to launch additional attacks if, for example, the ransomware has domain admin privileges.
The C&C server which receives this information will then send the encryption keys needed to encrypt files on the machine. This is done in two stages (infect the machine first and then get the encryption keys) to ensure that the keys are kept secret. It is almost impossible to decrypt files without the encryption keys.
When the ransomware receives the encryption keys, it will start encrypting files, concentrating on local files first, followed by files on removable media (USBs, external hard drives) and then any accessible network locations (mapped drives, network shares). This could take hours or days depending on the file volume and stops when it finishes or when the machine is shut down by the user.
A ransom note is created in every folder that the ransomware has encrypted files.These notes are often created in multiple file formats (.txt, .html, .png) to ensure that the victim can open them. The ransom notes are also saved on the host machine's desktop and the desktop background changes to a picture of the ransom note.
Some variants of ransomware deploy a secondary payload on the machine after the encryption stage of the attack. Unlike the ransomware which is destructive and noticeable, the second payload is normally completely hidden to the user and is designed to stay undetected on the machine. These secondary payloads are usually designed to steal usernames and passwords.
The last stage of a ransomware attack is to delete itself. This is done to reduce the chances of security companies getting hold of the ransomware to analyze it. You are then left with the encrypted versions of your files and ransom notes. These files are not malicious and are typically not detected or removed by anti virus products
Ransomware can get on your machine via spam email attachments and compromised websites that redirect users to servers hosting exploit kits.
Spam email with a malicious attachment is the most common method to get ransomware onto a victim's machine. The spam campaigns used in these attacks are usually in very large volumes and these emails often use social engineering techniques to trick users into trusting them. For example, an email posing as a parcel delivery company sending an the attachment about a missed delivery.
The common attachments currently used are: .doc, .docx, .docm, .xls, .xlsx, .xlsm, .ppt, .pptx, .pptm, .pdf, .js, and .lnk. These files are in an archive file such as .zip, .rar, or .7z.
The following screenshot shows an opened malicious attachment in Microsoft Office Word document:
The attachment contains a macro and if you have Office set to automatically execute macros when you open a file, the next stage of the attack starts automatically. If Office is not set to automatically execute macros, criminals usually attempt to trick you into enabling them, as illustrated above. If the macro doesn't run, the attack stops here.
It is important to note that in most cases malicious attachments are not the ransomware, but a Downloader. Their job is to connect to the criminal's server and download a malicious payload, in this case a ransomware. However, this can be anything can change multiple times during a single spam campaign.
Once run, a downloader will make a connection to the malicious server. These servers are often setup just before a spam campaign starts and removed after the attack finishes. The downloaders will often have a list of servers they can contact in case some are blocked. Just like ransomware, this connection normally uses the standard port 80 and HTTP, or port 443 and HTTPS protocols.
The ransomware is then downloaded to the machine and executed.
The other favored ransomware method is to use Exploit Kits (EK). EKs are tools used by criminals to identify vulnerabilities on your machine and exploit them. They will work through a list of known vulnerabilities and determine which ones your machine is not patched against. It will exploit these vulnerabilities to install ransomware on your machine.
This method uses compromised websites that have been hacked, normally a small bit of malicious code is added to them. When a user browses to this website, they are redirected (in the background) to the criminal's server that hosts the EK. Tens of thousands of legitimate websites are compromised every day by this popular method.
In some cases, these websites are not compromised but displays adverts that contain malicious code. This is called Malvertising.
If a user's machine is not regularly patched, the EK has a good chance of finding a vulnerability it can exploit.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.