How Does Ransomware Work? The Ultimate Guide to Understanding Ransomware – Part II

Now that we’ve been introduced to ransomware, let’s see how it spreads and infects machines.

How does it enter systems?

Common penetration techniques include:

  • Spam and social engineering
  • Direct drive-by-download or malvertising
  • Malware installation tools and botnets

When ransomware first hit the scene a few years ago, computers predominantly got infected when users opened e-mail attachments containing malware, or were lured to a compromised website by a deceptive e-mail or pop-up window. Newer variants of ransomware have been seen to spread through removable USB drives or Yahoo Messenger, with the payload disguised as an image.


CTB Locker, the ransomware making headlines and victims right now, spreads through aggressive spam campaigns. The email poses as a fax message which carries a .zip archive as an attachment. If the executable file inside the zip file is accessed, the data on the system is encrypted and the victim is asked to pay a ransom to receive the decryption key. Read more about CTB Locker.

But the latest variants can be re-engineered to propagate themselves without human action. We’ve recently seen an increasing number of incidents involving the so-called “drive-by” ransomware. Drive-by download attacks are launched from compromised websites or through malicious ads and usually exploit vulnerabilities in browser plugins like Flash Player, Java, Adobe Reader or Silverlight. The tools used for such attacks have the functionality to achieve privilege escalation. Privilege escalation exploits allow attackers to execute malware programs with administrator or system-level privileges instead of using the victim’s local user account, which might be restricted.

Modus Operandi

Each ransomware variant can be engineered to operate differently. However, common traits include fairly complex obfuscation and covert launch mechanisms meant to avoid early antivirus detection.  This means the malware wants to stay hidden and thus, uses techniques to thwart detection and analysis—including obscure filenames, modifying file attributes, or operating under the pretense of legitimate programs and services. The malware’s additional layers of defense leave the data unreadable, which make the process of reverse engineering very difficult.


It’s worth adding that ransomware‘s communication protocols have been upgraded from plain text (HTTP) to Tor and HTTPS, making encrypted calls to C&C servers almost impossible to track through network traffic monitoring. File encryption has also been revamped to use crypo-libraries that perform strong, asymmetric cryptography rather than using short-length keys or hard-coded ones. Earlier samples such as Cryptolocker and Cryptowall first contact the server and perform encryption afterwards, for instance.

To get a better idea of how ransomware works, let’s examine Cryptolocker. Cryptolocker ransomware gets installed by a Zbot variant (Trojan used to carry out malicious tasks). After execution, it adds itself to Startup under a random name and tries to communicate with a command and control server. If successful, the servers sends a public key and a corresponding Bitcoin address. Using asymmetric encryption (a public key to encrypt and a private key for decrypting files) Cryptolocker begins encrypting more than 70 types of files that might be present on the victim’s device.


 Here’s how encryption works, briefly:


Source: Microsoft

Meanwhile, a variety of messages and instructions – often localized – are displayed on the user’s home screen.


Infected users are instructed to pay a fee for the private key stored on their servers – without it, decryption is impossible. When the ransom is paid, decryption will start and a payment verification screen will be displayed. After decryption ends, the Cryptolocker files are deleted.

Note: Don’t take hackers’ word for it, paying the ransom does not guarantee that you can recover your files.

Who are the victims?

Ransomware doesn’t just impact home computers. Businesses, financial institutions, government agencies, academic institutions and other organizations can and have been infected with ransomware. Such incidents destroy sensitive or proprietary information, disrupt daily operations and, of course, inflict financial losses. They can also harm an organization’s reputation. Attackers aim at targeted files, databases, CAD files and financial data. For example, Cryptolocker was used to target more than 70 different file extensions, including .doc, .img, .av, .src, .cad.

“Ransomware is a very challenging threat for both users and antimalware companies, boosting impressive capabilities and an unprecedented success rate in extorting money from its victims,” says Cătălin Coșoi, Bitdefender Chief Security Strategist.

Stay close for Part III, to learn about the best ways to protect your data from ransomware.

About the author

Alexandra GHEORGHE

Alexandra started writing about IT at the dawn of the decade - when an iPad was an eye-injury patch, we were minus Google+ and we all had Jobs. She has since wielded her background in PR and marketing communications to translate binary code to colorful stories that have been known to wear out readers' mouse scrolls. Alexandra is also a social media enthusiast who 'likes' only what she likes and LOLs only when she laughs out loud.