Anatomy of a Ransomware Attack

Dr. Stephenie Slahor

The disruption to individual and departmental computer systems via ransomware is presenting new challenges to law enforcement agencies throughout the country.

A recent NBC news report disclosed how Eastern European hackers have been exposing law enforcement agencies nationwide to “ransomware” virus attacks – seizing control of various systems and deleting numerous files and/or denying access to records and other information. According to this report, police departments in seven states have experienced these types of attacks over the past three years. Explaining to the ASIS International Annual Meeting how ransomware operates was Barry Shteiman, Director of Threat Research for Exabeam and author of the HULK DDoS attack tool.

What Is Ransomware?

Ransomware is computer malware which installs covertly on a victim’s device and mounts a persistent cryptographic attack to encrypt user files on infected machines or prevent access to data. The goal is to demand ransom to reverse the attack, said Shteiman. Malware can “evade,” avoiding detection, as it communicates with a C2 network. It receives commands while persisting and can exfiltrate data and then sell that data to a third-party buyer. Ransomware shows itself once it has completed its attack and communicates once, if at all. It is packed preconfigured and encrypted locally, then sells the data back to the victim of the virus.

How It Advances

Shteiman explained that the “chain” of ransomware goes through steps: the campaign, infection, staging, scan, encryption, and payday.

In the “campaign,” the user is usually tricked into downloading and activating a malicious dropper or payload via an E-mail, watering hole attack, exploit kit, or “drive-by.” The E-mail is usually simple: a message which informs the user that a particular document, invoice, package delivery information, etc. is within the message. “These things look real,” said Shteiman, but, if opened, that downloads a random dropper – hard coded.

The “infection” dropper phones home to download an .exe or a camouflaged executable, then copies or stages the malicious executable to a local. The dropper script is then terminated and potentially dissolved and the malicious payload is then executed.

“Staging” occurs when the ransomware runs on the computer, sometimes moving to a new folder, then dissolving, checking for local configuration and registry keys, such as proxy settings, user privileges, accessibility, or other meaningful information. Then, it does “persistence steps,” such as running at boot, running when in recovery mode, disabling the recovery model, and so on. Various commands are issued to delete shadow copies of the files and the ransomware might then communicate at this stage to get the public key negotiated or to learn where the user or system comes from and whether they are applicable targets.

“Scan” occurs when the ransomware enumerates the local and network accessible systems, looking for a list of file extensions. It scans and maps these locations. Some variations also check for write/delete writes at this stage. This is a stage in which the ransomware could spread to other computers. (Scan speed is affected by network speed and the amount of data and servers, Shteiman added.)

“Encryption” occurs in all discovered files, both local and mapped. The original file is then deleted. For every location where files are found and encrypted, auto-generated ransom notes are created in multiple formats, such as .html, .txt and scripts.  Encryption is local to the infected machineand network infections travel to the local machine and back. Speed depends on volume.

“Payday” comes after encryption, with a ransom note created on the desktop and displayed to the user, then the ransomware terminates and usually deletes itself.

Fighting Back

Shteiman said the varying time when each of these steps occurs may give an opportunity to disable the ransomware. Detection opportunities come between infection and payday. Infection and staging take seconds, but scanning and encryption take minutes to hours, giving a possible opportunity to stop the spread of the infection.

Graphing the connections stitches together user activities which cross accounts, devices, IPs, and networks. Then, a model can be built for anomalies, such as whether it is a new process, mass deletion, new extensions, abnormal or suspicious LAN/WAN location access, registry edits, or deletion or scan on multiple assets.

For further information, log on to for the Threat ResearchReport, The Anatomy of a Ransomware Attack, a white paper which covers the business models used by ransomware operators, the attack chain, and detection and disruption of ransomware in the corporate environment. Being prepared and taking precautions about ransomware can save time and money and prevent future incidents.

StephenieSlahor, Ph.D., J.D., is a writer in the fields of law enforcement and security.  She can be reached at


Ransomware Doesn’t Mean Game Over

According to Adam Kujawa, Head of Malware Intelligence, ransomware works well because undetected variants are developed and deployed quickly and the program has to execute only once to be effective. It can completely lock down a system and encrypt important files. He explained that ransomware uses two primary methods: the “drive-by” which infects the system “behind the scenes” without user interaction; and “phishing” which tricks the user into opening an attachment which will launch a scripting file, download the malware and infect the system, all while evading detection. Kujawa added that, sometimes, it is malware which installs other malware.

Options to fight ransomware include running antivirus/antimalware; using backups for restoration; deleting encrypted files from the backup (assuming the history is enabled); analyzing for the root cause of the infection; and/or finding a decryptor through the Google search engine by Googling the name of the ransomware. Kujawa also recommended which lists decryptors.

Although some users will choose to pay the ransom, Kujawa said such action not only costs money, but encourages more ransomware and the user may not actually get the files back anyway, or the system may be reinfected later. He said, “I do not recommend paying the ransom – ever!”