Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Why Ransomware is Winning – and How to Turn the Tide

Every week we hear of several new high profile ransomware incidents affecting hospitals, schools, businesses and government. It’s gotten so bad that cybersecurity agencies in the U.S. and Canada recently issued an alert about the growing number of ransomware attacks affecting health care organizations.

Every week we hear of several new high profile ransomware incidents affecting hospitals, schools, businesses and government. It’s gotten so bad that cybersecurity agencies in the U.S. and Canada recently issued an alert about the growing number of ransomware attacks affecting health care organizations. Clearly ransomware attackers are winning. Why?

First, it’s important to understand, that most (if not all) ransomware victims are typically running fully-updated antivirus engines, and sometimes even anti-exploit and/or HIPS engines. The problem is, rapid changes made in the builds and versions of the malware used in ransomware  campaigns creators allows the code to repeatedly evade detection by traditional security measures.

To make matters worse, non-Windows variants have begun to emerge, notably on the Mac OS X and Linux platforms. These include the Encoder family which targets Linux-based web servers, and KeRanger which is based on the same code but has been recompiled to attack OS X targets.

The root of the ransomware problem lies in our reliance on signature-based detection techniques.

The methods attackers use to infect victims are well-known, very effective and difficult to eliminate no matter how end-user education and patching organizations perform. These include spearphishing emails and silent drive-by downloads that use exploit kits to take advantage of system vulnerabilities. Or more recently have taken a network-based approach, like the SamSam campaign, that targets vulnerable JBoss application servers, using accessible pentesting tools. Once inside the network the attackers collect credentials to install the actual payloads, and eventually get to the ransom stage.

It’s All About Behaviors

If signature-based techniques aren’t able to detect ransomware, what else can we do? Well, despite the fact that the number of ransomware variants and associated signatures is enormous and growing rapidly, there are small number of repeating motifs that are shared by the majority of ransomware samples seen in the wild. By looking for behaviors, instead of signatures, we can stop ransomware before it executes.

Here are some of the common behaviors most ransomware (and malware) share:


Almost all ransomware attempts to persist on a system, meaning that it will remain active in the event of a reboot. In most cases, ransomware authors use very similar registry locations as those used by traditional malware that effectively allow a binary to autostart on reboots. Some even use the startup folder and Task Scheduler. The new Petya variant which encrypts the entire system (not just files) overwrites the master boot record (MBR) itself. This makes persistence a great place to focus on when detecting ransomware behaviors.

Windows Tools 

In part due to evasion advantages, but mostly for convenience and development power, ransomware creators love Windows tools and especially script-based frameworks. These include Powershell and Batch scripts, VB scripts, WMI and others. These are used in a variety of ways including persistence, Shadow Copy deletion, communication and even the encryption itself. 


Ultimately, ransomware is designed to do damage, and make it as hard as possible to recover information, files and even the machine itself. Here’s a sample of destruction behaviors commonly exhibited by ransomware:

Shadow Copy Destruction 

This is **extremely** common. Shadow copies allow users to easily recover files from a local backup based on Restore Points created by Windows. These are essentially complete snapshots taken at different times. Ransomware will commonly try to delete the local Shadow Copy by calling vssadmin.exe, the Shadow Copy (also called the Volume Snapshot Service) utility, with specific instructions that no backups are to remain. 

Disabling Windows Monitoring mechanisms 

Ransomware will modify all sorts of monitoring-related mechanisms Windows supports, including:

● Disable System Restore
● Disable Safe mode
● Disable Recovery Mode and hide the boot menu options
● Stop the Windows Error Reporting (WER) service
● Disable its autostart on future boots

Complicate System Analysis 

Examples include “self-deletion” where after executing the ransomware, the attack will often delete the original file, or delete the content of the infecting document.  “Kill” which attempts to run Task Manager and other common Windows tools such as regedit.  Or anti-debugging, packing, etc. 

Although it may seem counter intuitive, most ransomware variants are incredibly similar in the methods they use to interact with the operating system of the target device. Therefore, even though ransomware authors continue to create a steady stream of new variants such as Petya, we have an ace in the hole. By monitoring for and detecting the underlying and shared behaviors of malware we can effectively stop ransomware infections before they can cause damage.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.