Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

The Evolution of Ransomware: Part 2

For most, ransomware attacks are the byproduct of uninformed users opening malicious attachments sent by devious and anonymous criminals.

For most, ransomware attacks are the byproduct of uninformed users opening malicious attachments sent by devious and anonymous criminals.  While this is still a useful approach for some attackers, the success of ransomware and the evolution of protections against it have led to the popularization of multiple techniques for infecting user systems.  Protection against the effects of ransomware starts with a clear understanding of all of the means that attackers will use to implant that first malicious package.

The Modern Palette of Infection Vectors

The way in which ransomware is delivered to victim systems has advanced quickly since the the AIDS Trojan of 1989, when the delivery mechanism involved a postal worker, a truck, and a floppy disk.  As with most cyber attacks, the attackers develop new methods in order to bypass the new controls put in place to stop their last successful campaign.  Today, there are five main methods used to get ransomware from source to target.

 The Traditional Favorite: Phishing Campaigns

 Social networking has heavily influenced the growth and effectiveness of phishing campaigns.  According to data gathered from the non-profit Anti-Phishing Working Group (APWG), phishing attacks in the 3rd quarter of 2016 were up 130% since the same period in 2015.  In 2017, these campaigns are more targeted, using available information in one of two ways:

 1. Phishing Nets: A limited amount of target-specific detail is used to create phishing messages which are then sent to a wide list of target employees, creating a high probability of infection on one or more user system.  This is especially true with newer “land and expand” ransomware, which automatically leverages its presence on the current victim to search for and corrupt other systems within reach.

2. Spearphishing or Whaling: Very specific messages are crafted for delivery to organization members who are more likely to opt for payment, like executives or IT staffers. Both of these campaigns direct the victim to execute some malicious program, delivered as either a camouflaged attachment or link to a malicious site. According to awareness training provider PhishMe, 93% of phishing campaigns now deliver ransomware as the payload, which puts phishing at the top of our list.

Advertisement. Scroll to continue reading.

Innocent Bystanders: Drive-by Downloads – Rampant popularity among criminals has made phishing-based delivery of ransomware more common and recognizable, so attackers are leveraging new techniques that can infect users without requiring them to click. The most well-established of these is the drive-by download, where ransomware is delivered transparently through web pages where malicious links have been hidden. These links exploit vulnerabilities in browsers (there were hundreds in 2016, according to Helmdal Security), and can be placed on vulnerable sites or in areas where user input is not validated, like blog comment fields.  As organizations and security providers invest to blunt phishing attacks, expect to see even more of these drive-by infections.

 Distribution by Trusted Parties: Malvertising – Phishing relies on getting users to click.  Drive-by downloads are assumed to be clustered on questionable sites.  As a result, both have been thought to be mitigated by educating a new breed of more prudent users. Malvertising poses another threat entirely.  Malvertising puts drive-by code in front of users by hiding malicious executables in advertisements served up through popular ad networks on some of the Internet’s most popular sites, like the New York Times, AOL, and the BBC. Like drive-by’s, malvertising relies on vulnerabilities, and some of these remain active and exploitable for years, like this one that was was used to distribute both Reveton and its modern variant, CryptXXX.

Everybody Loves a Bargain : Counterfeit and Forged Applications – According to a report from IDC, approximately one-third of the PC software in use worldwide is counterfeit, and for the users of that software, there is a one-in-three chance that they will be infected with malware.  For organizations that allow users to install their own applications, one “free” version of a favorite application can pose an organization-wide threat, especially when combined with new “land and expand” malware such as VirLock.

One Bad Apple : Parasitic and Social Infections – VirLock is one example of ransomware that is built to spread. Once they have been executed, these packages immediately seek out additional machines to infect.  These automated attacks search for connected computers and drives to infect, or leverage email and social network accounts to spray their ransomware using the local user’s account and contact list.  In all cases, they turn the victim into the perpetrator of a much broader infection.

General Recommendations

It is possible to improve your defense against all of these vectors, if you know how. 

Unfortunately, Googling “ransomware protection” typically yields only general good ideas like user training and backups.  These are fine, since a knowledgeable and slightly paranoid user is certainly the best protection, and backups provide the ability to recover lost data when destroyed.  Actual protection, though, from those inevitable user slips, requires a boost from technology.

At the most basic level, attachments and links should be disabled or contained using some combination of firewall and mail system controls. Systems should be centrally managed, configurations locked down, and policies should enforce patch installations and permissible applications. As a last line of defense, at the users system, anti-virus and runtime malware defenses should be combined to block the ransomware that makes it through. We know that 2017 is going to deliver more sophisticated malware pushed through more numerous channels. Our security practices have to keep up and work together if we are going slow the growth of ransomware by decreasing its success, its profitability, and its public destructive impact.

RelatedThe Evolution of Ransomware: Part 1

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...