Skip to main content

Does Ransomware Work?

By July 14, 2015July 15th, 2016IT Support in Toronto

Does Ransomware Work?

How Does Ransomware Work? Part 1

Let’s take a look at how ransomware works. In some stages of the operational cycle ransomware runs much like any other malware which may find its […] Does Ransomware Work?

Does Ransomware Work?

Does Ransomware Work?

Are your systems optimized for maximum speed and performance? (I can tell you, 99% of the computer networks we review are NOT.

Does Ransomware Work?

Let’s take a look at how ransomware works. In some stages of the operational cycle ransomware runs much like any other malware which may find its way onto your systems. In other stages ransomware has introduced completely new areas of operating for cybercriminals.

The first few stages of the ransomware cycle use the tried-and-true methods cybercriminals are accustomed to using. In order for ransomware to get started with its real work, it needs:

  • a delivery system,
  • a vulnerability to exploit,
  • a payload to deliver, and
  • a way to establish communications with a C&C server. Does Ransomware Work?

Delivery System

Does Ransomware Work?

A couple of the more widespread ransomware variants use an email with a malicious attachment as their delivery system. Despite all of the education and training that IT departments provide for employees, this still works. People will click on attachments to emails if it even remotely looks like the email is intended for them personally. Typically it will be a ZIP file, but PDF and Office documents are also used.

A common disguise for the content hidden in the attachment is a screensaver (.SCR file) which the user, for some reason, then installs. The type of users who click on mysterious attachments are apparently also the type who still like cool screensavers. Nevermind the fact that screensavers are basically pointless unless you’re still using a CRT monitor.

A second common delivery system is through a web browser. Most commonly a malicious URL is disguised in a parcel tracking email. Usually the email will appear to come from a major package carrier and explain they have a package for you but need some additional information in order to be able to deliver it. Click the handy link in the email, and you’ll receive the Trojan which will eventually facilitate the encryption of all your valuable files.

Sometimes the web browser delivery system is used by compromising an existing legitimate website. Innocent web surfing then results in infection.

Malvertising is another hook for web browser delivery of ransomware. The ransomer creates banner ads and buys a number of impressions on a legitimate advertising network. The target URL of the ad is legitimate when the ad is approved, but nefarious underpinings are substituted when the ad is running.

The most unusual way I’ve encountered to deliver ransomware via web browser is through a phone call. In fact, just in the last month I received a phone call from a number I didn’t recognize. I was up for having some fun so I answered it. The caller didn’t identify himself by name or organization, but asked me to turn on my computer. Me! He had no idea who he had on the line of course. He wanted me to open a web browser and go to a specific URL. I played an idiot and made the process frustrating enough for him that he finally hung up on me – but obviously people are falling for this or he wouldn’t be doing it. Indeed, I’ve read of some cases where this has worked.

A final option of launching a widespread ransomware attack is to leverage a botnet. These are machines which have been compromised but the malware on them is dormant. Some people simply build botnets and then sell access to the infected machines to others who are looking for machines to exploit in one manner or another. If you have seemingly harmless adware or other mysterious files on your machine, it may be part of a botnet, waiting for a buyer to exploit it.

Vulnerability to Exploit

Does Ransomware Work?

Ransomware delivered through a web browser needs a vulnerability to exploit to get itself installed on the target system. Although this might surprise some, many of the vulnerabilities leveraged are old; in fact, according to the Verizon 2015 Data Breach Investigations Report (DBIR), 99.9% of the exploited vulnerabilities [in 2014] were compromised more than a year after the CVE was published. For example, at least one current variant exploits a known vulnerability starting with CVE2013. If you haven’t patched it, you’re just making the ransomer’s job that much easier.

Which vulnerability to exploit isn’t usually even chosen by the ransomer. These options are built into the malware kits, so they just tick all the boxes when they’re creating it. The initial Trojan will try multiple exploits until it finds one which is successful.

Those ransomware variants which are able to con the user into installing it themselves don’t really need a software vulnerability to exploit. Technically, the user is the vulnerability in those cases. If you’ll install a random screensaver on your machine, or install any shiny app on your mobile device, you may as well buy $500 in Bitcoin now to speed the process of paying the ransom later.

Payload Delivery

Does Ransomware Work?

Depending on the size and complexity of the ransomware, it may either employ a dropper or it may download the entire payload initially.

For larger binaries the dropper approach is used. The initial executable which is delivered is small and purpose-built. Its ultimate job is to get itself installed on the target system and then to establish communications with a command and control (C&C) server for further instructions on downloading the rest of the payload.

The payload size for some of the more popular varieties is very small, between 100KB and 200KB, so no dropper is needed. It’s easily sneaked onto the victim computer.

Either the dropper or the actual payload must establish the communication path with the C&C server. Not all malware needs this communication path, but it’s very critical in the case of ransomware. Without two-way communication, there is no way for the target system to exchange its unique encryption key with the perpetrator, inform the user of the unique payment URL, and so on. The ransomware won’t start encrypting until has established this communication channel.


Up to this point, ransomware is operating much like any malware. You can see the stages it needs to go through in order to be successful. This gives you a starting point in defining a “kill chain” for protecting your systems from ransomware.

From this point forward, ransomware’s operation becomes different from typical malware. I’ll cover those stages in the next post.

Does Ransomware Work?

Call Group 4 Networks your IT Support provider from Toronto to help you with all your IT needs.