What is Ransomware icon

What is Ransomware?

Ransomware is a type of malicious software that prevents the victims from accessing their documents, pictures, databases and other files by encrypting them and demanding a ransom to decrypt them back. A deadline is assigned for the ransom payment, and if the deadline passes, the ransom demand doubles or files are permanently locked. Ransomware is an ever-increasing threat worldwide, claiming a new victim every 10 seconds.

Latest Ransomware

April 2020, Cognizant, one of the largest tech and consulting companies in the Fortune 500, has confirmed it was hit by a Maze ransomware attack.

Maze is not like typical data-encrypting ransomware. Maze not only spreads across a network, infecting and encrypting every computer in its path, it also exfiltrates the data to the attackers’ servers where it is held for ransom. If a ransom isn’t paid, the attackers publish the files online. However, a website known to be associated with the Maze attackers, has not yet advertised or published data associated with Cognizant.

The FBI privately warned businesses in December of an increase in Maze-related ransomware incidents.

Since the warning, several major companies have been hit by Maze, including cyber insurer Chubb, accounting giant MNP, a law firm and an oil company.

Read more about Maze ransomware

Most Popular Ransomware Variants 

Cryptowall – Ransomware that started as a Cryptolocker doppelgänger, but eventually surpassed it. After the takedown of Cryptolocker, CryptoWall became one of the most prominent ransomwares to date. CryptoWall is known for its use of AES encryption and for conducting its Command & Control communications over the Tor anonymous network. It is widely distributed via exploit kits, malvertising and phishing campaigns.
WannaCry – Ransomware which was spread in a large scale attack in May 2017 utilizing a Windows SMB exploit called EternalBlue in order to propagate within and between networks. It infected more than 100,000 computers by taking advantage of an unpatched Microsoft Windows vulnerability.
Jaff – Ransomware which began being distributed by the Necrus botnet in May 2017, via spam emails containing a PDF attachment which contains an embedded DOCM file. As the malware first emerged, it was massively spread at an infection rate of approximately 10,000 emails sent per hour.
Locky – Ransomware which started its distribution in February 2016, and spreads mainly via spam emails containing a downloader disguised as an Word or Zip attachment, which then downloads and installs the malware that encrypts the user files.
TorrentLocker – Ransomware that encrypts user documents, pictures and other type of files. Victims are requested to pay up to 4.1 Bitcoins (approximately US $1800 at the time) to the attackers to decrypt their files.
Cerber – An offline ransomware, meaning that it does not need to communicate with its C&C server before encrypting files on an infected machine. It is spread mostly via malvertising campaigns which leverage exploit kits, but also through spam campaigns. It is operated by its author as a ransomware as-a-service; the author recruits affiliates to spread the malware for a share of the ransom payment.

Ransomware History 

The first known ransomware attack was deployed in 1989. The very first known malware extortion was called the AIDS Trojan, aka PC Cyborg. This low-tech malware was distributed in over 20,000 floppy disks to AIDS researchers. It hid files on the drive and encrypted the file names, displaying a message to the user that their license to use a specific type of software had expired. As a ransom, the user was asked to pay $189 USD to receive a repair tool. The decryption tool was easily extracted directly from the code of the Trojan, rendering the malware flawed because it was not necessary to pay the extortionist.

Top Countries Attacked by Ransomware 

Until now, the ransomware-as-a-service industry remained an uncharted region of cybercrime. Very little was known about the operation of such franchises, making it harder for defenders to trace them effectively. In research conducted by Check Point and IntSights, we shed new light on the Cerber ransomware, one of the most prominent ransomware variants. Our report, CerberRing: An In-Depth Exposé on Cerber Ransomware-as-a-Service, discloses not only the technical details of the operation, but also the franchise’s business operation from end-to-end.

Cerber has a wide distribution, due in part to its successful use of leading exploit kits. By monitoring the actual C&C communications, we were able to create a complete view of the ransomware’s activity. Cerber is currently running 161 active campaigns, launching an average of eight new campaigns daily, which have successfully infected approximately 150,000 users worldwide in 201 countries and territories in the past month alone.

Why Does Ransomware use Bitcoin? 

Bitcoin currency can be used to evade tracing, ransomware operators create a unique Bitcoin wallet to receive funds from each of its victims. Upon paying the ransom (usually 1 Bitcoin, which was currently worth approximately $590 at the time), the victim receives the decryption key. The payment is transferred to the malware developer through a mixing service, which involves tens of thousands of Bitcoin wallets, making it almost impossible to track the transactions individually. At the end of the mixing process, the money reaches the developer and the affiliates receive their percentage.

WannaCry demanded each victim pay $300 through the means of Bitcoin. The victims only have 72 hours to pay the $300, if you wait past this period, the ransom doubles to $600. After a total of 7 days, WannaCry deletes all encrypted files and the data is permanately lost. Another variant of ransomware strain, Locky, demands any where between 0.5 BTC (BitCcoin) to 1.00 BTC.

The Bitcoin economy has surged and while these prices used to range within a couple hundred of dollars – 1 Bitcoin is currently in the range of $9,304 (6/9/2020). Check Point researchers found that those affected by WannaCry are unlikely to retrieve their files, even if they pay the ransom. So far, the three bitcoin accounts associated with the WannaCry campaign have accumulated approximately $77,000.

By monitoring the data provided by the C&C servers, we were able to identify actual victim wallets, allowing us to effectively monitor payments and transactions involving each of these wallets. Our research also allowed us to track the actual revenue gained by the malware, as well as the path of financial transactions.

How Ransomware Infects Your Computer 

Step 1. Checking Your Internet Connection

The first executable in the infection chain checks for a specific URL before continuing the attack (so called kill switch). Malware researchers have discovered most of the URLs in the different samples of the attack and so the ransomware component is not created and executed.

We start the analysis from the actual ransomware executable itself as shown in Figure 2. Having analyzed multiple samples of the ransomware, we noticed that the behavior is fairly consistent.

Step 2. The Dropper

In our report, the attack starts with the launching of the wcry.exe sample. This executable drops a lot of files that are most likely configuration/data files needed to continue execution. We see the dropped files by clicking on the wcry.exe process and then viewing the File Ops Tab. A large number of files with the “wnry” extension are created for example.

Step 3. Execution Startup

This sample then proceeds to hide all the files in its own folder. This is done through the Windows “Attrib.exe” process. We believe this is done so that the sample does not accidentally encrypt itself, though it could also be a basic technique to hide from investigators.

WCry.exe then executes Windows “icacls.exe” to modify the current folders permissions. We are still investigating as to why this is. This is the first ransomware family we have seen that actually utilizes this Windows process.

Step 4. File Encryption

Wcry.exe then begins the encryption process starting with files on the desktop. By following the flow of any one of the encrypted documents, we see that the malware wrote into a newly created file with the extension wncryt (t for temp?) and then after the encryption of the original file was completed it renamed the file to have the extension wncry.

For example:

  1. The file 2014-financial-statements-en.pdf was read
  2. The file 2014-financial-statements-en.pdf.wncryt was created.
  3. The file 2014-financial-statements-en.pdf.wncryt was modified with encrypted content of the original 2014-financial-statements-en.
  4. The file 2014-financial-statements-en.pdf.wncryt was renamed to 2014-financial-statements-en.pdf.wncry

It also creates an executable called @wanadecryptor@.exe and launches it. This executable creates the Tor Application folder, and installs Tor in it. This can be seen with suspicious event Tor Application Download. @wanadecryptor@.exe then launches taskhsvc.exe that is used to begin TOR communication.

Step 5. Permanetly Deleting Non-Encrypted Versions

After the encryption of files is finished we see a UAC prompt pop up because of a CMD that wishes to elevate privileges. The cmd.exe requires elevated privileges in order to delete shadow copies and modify boot options. If the user clicks OK then Shadow Copy Deletion occurs through both vssadmin.exe and wmic.exe. BCEdit and wbadmin executons are meant to occur based on the cmd.exe arguments (/c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog –quiet). However, neither are executed.

Step 6. Notifying the Victim

After the encryption, the wallpaper is also changed as seen in Suspicious events Wall Paper Change. Like Cerber and Locky, the wallpaper is changed to display a ransom message.

Persistence on boot is meant to occur based on the registry run key with the process named: tasksche.exe, but this process was never created by the attack and so nothing happens on reboot of the system. This process apparently should have been created from the downloader that detects if a kill switch is present. However, given that we executed this without executing the downloader it was unable to persist.

Finally the process called @wanadecryptor@.exe is also used to display the UI asking for payment.

Files Affected by Ransomware 

After successful exploitation and “install”, ransomware encrypts 99% of filetypes – so don’t expect any to be left untouched. Filetypes include:


Typically the virus will add an additional extension to the encrypted files, in the case of WannaCry – .wcry

So if you have a file Document.txt – WannaCry ransomware will encrypt and rename it as Document.txt.wcry

Ransomware Prevention 

Here are ways to defend against the next ransomware attack.

Education: Training users on how to identify and avoid potential ransomware attacks is crucial. As many of the current cyber-attacks start with a targeted email that does not even contain malware, but only a socially-engineered message that encourages the user to click on a malicious link, user education is often considered as one of the most important defenses an organization can deploy.

Continuous data backups: Maintaining regular backups of data as a routine process is a very important practice to prevent losing data, and to be able to recover it in the event of corruption or disk hardware malfunction. Functional backups can also help organizations to recover from ransomware attacks.

Patching: Patching is a critical component in defending against ransomware attacks as cyber-criminals will often look for the latest uncovered exploits in the patches made available and then target systems that are not yet patched. As such, it is critical that organizations ensure that all systems have the latest patches applied to them, as this reduces the number of potential vulnerabilities within the business for an attacker to exploit.

How Check Point Can Help 

Check Point’s Anti-Ransomware technology uses a purpose-built engine that defends against the most sophisticated, evasive zero-day variants of ransomware and safely recovers encrypted data, ensuring business continuity and productivity. The effectiveness of this technology is being verified every day by our research team, and consistently demonstrating excellent results in identifying and mitigating attacks. SandBlast Agent, Check Point’s leading endpoint prevention and response product, includes Anti-Ransomware technology and provides protection to web browsers and endpoints, leveraging Check Point’s industry-leading network protections. SandBlast Agent delivers complete, real-time threat prevention and remediation across all malware threat vectors, enabling employees to work safely no matter where they are, without compromising on productivity.

This website uses cookies to ensure you get the best experience. Got it, Thanks! MORE INFO