Understanding Ransomware

Ransomware is malicious software that encrypts an organization’s data or locks its systems, then demands payment (usually cryptocurrency) for restoration. Modern ransomware often employs double-extortion: attackers steal sensitive data and encrypt files, threatening to leak or sell data if the ransom isn’t paidsentinelone.com. Ransomware variants range from crypto-ransomware (encrypting files) and locker-ransomware (locking access to a device) to Ransomware-as-a-Service (RaaS) platforms that allow affiliates to launch attackspaloaltonetworks.com paloaltonetworks.com. Each type demands a different response, but all follow similar attack chains.

Ransomware Types and Characteristics

Crypto-ransomware: Encrypts files with strong cryptography, making them inaccessible. The attacker demands a decryption key for payment. Examples include WannaCry, Ryuk, and Revilflashpoint.io.
Locker-ransomware: Locks the user out of the operating system (e.g. by fake screens), without necessarily encrypting filespaloaltonetworks.com. Victims must pay to regain control of their system.
Ransomware-as-a-Service (RaaS): A “malware affiliate” model where developers lease ransomware to others. This lowers the skill barrier for attackers and multiplies campaigns (e.g. DarkSide, LockBit, REvil operate as RaaS)paloaltonetworks.com sentinelone.com.
Leakware/Doxware: Exfiltrates sensitive data and threatens to publish it unless paid. Often used in double-extortion attacks (e.g. Maze, Conti)paloaltonetworks.com sentinelone.com.
Scareware: Fake security tools or pop-ups that falsely claim infection and pressure users to pay for “fixes”paloaltonetworks.com.

Below is a summary of key ransomware types and their traits:

Ransomware Type	Key Characteristics	Examples/Notes
Crypto	Encrypts critical files on disk or network shares. Requires ransom for decryption.	WannaCry, Ryuk, NetWalkerflashpoint.io cisa.gov
Locker	Locks user out of the OS or apps (no file encryption). Demands payment to unlock.	Legacy “Police” scams, some mobile variants
RaaS (Affiliate)	Malware developers rent out ransomware to affiliates. Increases scale of attacks.	DarkSide, Revil, LockBitpaloaltonetworks.com sentinelone.com
Leakware/Doxware	Steals/exfiltrates sensitive data and threatens public release. Often accompanies encryption.	Maze, Conti, Egregor
Scareware	Uses fake alerts or bogus software to trick users into paying. Non-technical tactics.	Fake AV “You are infected” pop-ups

The Palo Alto Networks Cybersecurity Guide notes that crypto- and locker-ransomware remain the most common forms, with newer variants adding extortion of datapaloaltonetworks.com paloaltonetworks.com. Understanding these categories helps tailor defenses (see “Proactive Strategy” below)paloaltonetworks.com paloaltonetworks.com.

Infection Vectors and Entry Methods

Ransomware operators use many entry methods to infect systems. The most prevalent are:

Phishing Emails and Malicious Attachments: Attackers send convincing emails (spear-phishing) with infected attachments (Office documents, PDFs, ZIPs) or malicious links. When a user opens the attachment or clicks a link, malware is delivered. Often the payload is a “loader” (e.g. TrickBot, Emotet) that establishes a footholdflashpoint.io mantra.ms. For example, a typical sequence is: user opens a malicious invoice doc → enables macros → a hidden PowerShell or VBScript runsmantra.ms.
Exploit Kits and Drive-by Downloads: Compromised or malicious websites can host exploit kits (e.g. “Angler”, “RIG”) that automatically exploit browser or plugin vulnerabilities (Java, Flash, etc.) when visited, delivering ransomware. Exploit kits were famously used to drop CryptoLocker and other ransomware by scanning for unpatched software.
Remote Desktop Protocol (RDP) and Remote Service Attacks: Criminals scan the internet for exposed RDP or VPN endpoints and use brute-force or credential stuffing to gain access. Once they break into a Windows server via RDP, they can manually install ransomware. In one Zscaler study, attackers used RDP brute-force to drop Dharma ransomware, then ran vssadmin delete shadows /all to erase backupszscaler.com. RDP attacks often involve credential hacking and lateral movement (e.g. using Mimikatz to dump admin credentials and pivot)zscaler.com flashpoint.io.
Vulnerability Exploitation: Unpatched vulnerabilities in software (Windows SMB, VPN appliances, databases, etc.) can be directly exploited. A famous case is WannaCry, which spread via the SMBv1 “EternalBlue” exploit (MS17-010). Systems not patched against this remotely had the malware propagate like a wormcisa.gov. Similarly, attacks may exploit public-facing services (web apps, Citrix, Exchange) to gain entry.

In practice, phishing is the most common initial vectorflashpoint.io, but sophisticated gangs chain multiple steps: e.g. initial phishing → loader (TrickBot/Bazar) → credential theft (Mimikatz) → lateral movement → ransomware deployment. Enterprise-targeted ransomware like Ryuk or Conti often arrive via such multi-stage campaigns.

Simulated Ransomware Attack Scenario

1. Initial Access: An employee at a finance company receives an email appearing to be an invoice from a vendor. She opens the attached Word document, enables macros (as prompted by social engineering), and unknowingly executes malicious PowerShell codemantra.ms flashpoint.io. This code installs a remote-access trojan (e.g. a variant of TrickBot) that connects to the attacker’s server, giving the attacker a foothold.

2. Recon and Credential Theft: The attacker uses the trojan to explore the network. They harvest Windows credentials with a tool like Mimikatz (dumping credentials from lsass.exe) or by capturing keypresses. Using stolen admin credentials, they log into file servers and domain controllersflashpoint.io flashpoint.io. They may also disable security tools (turn off antivirus, disable Windows Event logging) to avoid detection.

3. Lateral Movement and Privilege Escalation: Armed with elevated privileges, the attacker moves laterally. Common techniques include Pass-the-Hash to reuse hashed credentials, exploiting RDP sessions, or abusing shared foldersflashpoint.io. They open a remote desktop session to a backup server and drop additional malware to ensure persistence (e.g. a scheduled task or registry Run key). At this point, the attacker has administrator-level control of critical systemsflashpoint.io flashpoint.io.

4. Deployment of Ransomware: With access secured, the attacker deploys the ransomware payload on multiple hosts. For example, they upload Ryuk or DarkSide executables to network shares and execute them as a SYSTEM user. The ransomware runs silently and encrypts files with strong AES/RSA encryptionzscaler.com flashpoint.io. During encryption, the malware also deletes Volume Shadow Copies (using commands like vssadmin delete shadows /all /quiet) and may halt backup services to prevent recoveryzscaler.com.

5. Ransom Demand: After encrypting data, the attacker’s code displays ransom notes on each affected machine. For instance, Dharma ransomware pops up two files: an Info.hta splash screen on login and a FILES ENCRYPTED.txt on the desktopzscaler.com. These notes contain a unique ID for the victim and instructions to email the attacker (often a .onion address for Tor) to obtain the decryption key. A typical ransom message might read: “YOUR FILES ARE ENCRYPTED! Contact [email protected] with your ID to restore files. Don’t delete files or software.”zscaler.com zscaler.com. The attackers demand payment in cryptocurrency, threatening permanent data loss or publication of exfiltrated files if the ransom is not paid.

Figure: Example of a ransomware demand note displayed on a victim’s system (source: Zscaler analysis of Dharma ransomware)zscaler.com zscaler.com.

This scenario illustrates a human-operated ransomware attack. At each phase, defenders can intervene. In practice, security teams use EDR alerts, SIEM detections, and threat hunting to catch malicious actions (like suspicious PowerShell execution or unexpected network reconnaissance) before encryption begins.

Technical Defense and Detection Guide

Defending against ransomware requires layered controls and active monitoring. Key measures and tools include:

Endpoint Detection & Response (EDR) / Extended Detection & Response (XDR): Deploy modern EDR agents on all endpoints and servers. Leading solutions (CrowdStrike Falcon, SentinelOne Singularity, Sophos Intercept X, Microsoft Defender for Endpoint, etc.) use behavioral AI and threat intelligence to block known and unknown ransomware. For example, CrowdStrike Falcon recently scored 100% detection and protection in an independent ransomware testcrowdstrike.com. These platforms can quarantine threats in real time, roll back file changes, and provide visibility into attacker tactics. Configure EDR to monitor processes spawning via PowerShell, CMD, or Service Control Manager, especially under the SYSTEM account (as in [27]).
PowerShell and Script Logging: Enable PowerShell Script Block Logging and Module Logging on Windows (Group Policy). This logs the full text of PowerShell commands (Event ID 4104) and can reveal obfuscated or encoded commands (e.g. -EncodedCommand, use of -NoProfile/-WindowStyle Hidden)detection.fyi. Analysts can write PowerShell detection scripts or SIEM queries to flag suspicious patterns such as base64-encoded strings, use of certutil.exe for downloads, or calls to vssadmin, wbadmin, or bcdedit. For instance, a Sigma rule can trigger on any vssadmin delete shadows or WMIC shadowcopy delete command, which are strong indicators of backup tamperingpicussecurity.com picussecurity.com.
EDR/XDR Tuning and Configurations:
- Enforce Tamper Protection: Prevent users (and malware) from disabling security tools.
- Collect Detailed Logs: Enable detailed process creation logs (Sysmon or Windows Audit) so you can reconstruct the chain of events. Capture command-line arguments for all processes.
- Behavioral Rules and Yara: Use behavioral rules or YARA signatures to detect ransomware traits (e.g., large-scale file encryption activity). Many security vendors publish detection recipes. For example, Sigma rules can alert on abnormal SYSTEM-level processes using encoded PowerShell (as in [27]) or on antivirus alerts naming known ransomware familiesdetection.fyi.
- Credential Security: Monitor for credential dumping (Event ID 4688 with lsass.exe access) and abnormal use of administrator privileges. EDR tools often have built-in alerts for Mimikatz or Pass-the-Hash attempts.
Threat Hunting Rules (Sigma): Implement custom detection rules in your SIEM or hunting platform. Some examples:
- Windows Anti-Defense Tactics: Sigma rule “Suspicious SYSTEM Process Creation” from Nextron (see [27]) flags processes running as SYSTEM with suspicious flags (e.g. -NoProfile, -EncodedCommand).
- Backup Deletion Tools: Detect execution of utilities that erase backups (e.g. vssadmin.exe, wbadmin, bcdedit) or scripts that invoke WMI calls to delete shadowspicussecurity.com picussecurity.com.
- Large-Scale File Operations: Alerts on a process that rapidly reads/modifies many files (indicative of encryption) or that creates many new .encrypted files.
- Known Malware Signatures: If using Antivirus/Endpoint sensors, alert on detections of known ransomware binaries or droppers (e.g. Hiddentear, GandCrab, ContiCrypt). The “Antivirus Ransomware Detection” Sigma rule, for instance, catches AV alerts naming several ransomware strainsdetection.fyi.
Network Protections: Use firewalls and intrusion prevention to block common ransomware C2 domains/IPs (threat intel feeds), and restrict or log incoming RDP/VPN attempts. Employ network segmentation to isolate sensitive data and hinder lateral movement.

Each tool and rule should be tested. In real attacks, the ransomware encryptor is often the last stage; early detection of precursor activities (phishing, reconnaissance, unusual PowerShell usage) is critical. Regularly update EDR/SIEM rules from sources like SigmaHQ and vendor intelligence to cover the latest TTPs.

Ransomware Case Studies

WannaCry (May 2017): A worm‑like crypto-ransomware that exploited the Windows SMBv1 vulnerability (EternalBlue, CVE-2017-0144). Unpatched systems (despite a Microsoft patch issued in March 2017) were rapidly compromised and encrypted. WannaCry hit ~200,000 computers in 150+ countries, severely disrupting the UK’s NHS and many other organizationscisa.gov. Victims saw a blue GUI demanding ~$300 in Bitcoin. The U.S. CISA notes that installing the MS17-010 patch or disabling SMBv1 could have stopped the spreadcisa.gov.
Colonial Pipeline (May 2021): A US fuel pipeline operator fell victim to DarkSide ransomware. The attackers accessed a VPN account (likely via weak MFA or credentials), then moved laterally to deploy DarkSide encryption on the IT network. Colonial proactively shut down pipeline operations, causing fuel shortages. The company paid 75 BTC ($4.4M at the time) to regain accessjustice.gov. The FBI later seized $2.3M of the ransom. This incident led to urgent CISA/FBI alerts on improving segmentation between IT/OT, enforcing MFA, and maintaining robust backupscisa.gov justice.gov.
Ryuk/Conti Attacks: Ryuk (and its “successor” Conti) have been used in many high-value attacks (healthcare, government, enterprises) since 2018. Typically deployed manually after network compromise (often by TrickBot or BazarLoader malware), Ryuk encrypts servers with AES-256 and demands multi-million-dollar ransoms. CISA/FBI advisories have warned of increased Ryuk/Conti activity, especially targeting hospitals during the COVID-19 pandemiccisa.gov. These gangs also engage in double extortion, exfiltrating files for additional leverage. Each incident underscores the need for rapid detection and segmented recovery procedures.

These real-world examples highlight that ransomware is ever-evolving. Attackers innovate quickly (e.g., PolarPay, Black Basta emerged in 2024 with new evasion techniques) and often operate from jurisdictions beyond easy reach of law enforcement. Staying aware of current threat intelligence (e.g. CISA alerts, industry reports) is essential.

Proactive Cybersecurity Strategy

An integrated, proactive defense is the best antidote to ransomware. Key best practices include:

Deploy EDR/XDR Everywhere: Ensure every endpoint, server, and cloud workload runs a next-gen security agent. Utilize a unified platform (Falcon, Defender, SentinelOne, etc.) that can correlate events across environments. Use automated containment (network isolation) for suspected infections. As CrowdStrike’s latest SE Labs test noted, advanced EDR can “stop all known and unknown ransomware threats with no false positives”crowdstrike.com.
Maintain Offline Backups: Follow a 3-2-1 backup strategy (three copies, two media, one offsite). Keep backups offline or off-network so ransomware can’t encrypt them. Encrypt and test your backup media regularly. CISA bluntly advises: “Backing up is your best bet” – keep offline, encrypted backups and verify restoration procedurescisa.gov.
Patch Management: Immediately patch critical vulnerabilities. High-impact bugs like SMB (EternalBlue) or remote management flaws (e.g. Exchange Server ProxyLogon in 2021) have powered major attacks. Apply security updates promptly to servers and workstations, especially those exposed to the Internetcisa.gov cisa.gov. CISA’s “Keep Calm and Patch On” guidance stresses automating updates and scanning for missing patchescisa.gov.
Threat Intelligence Feeds: Subscribe to ransomware IOC/URL feeds (from CISA, cybersecurity vendors, or threat sharing groups). Integrate these IOCs into firewalls, IPS, and SIEM to block known malicious hosts and file hashes. For example, CISA and FBI routinely publish DarkSide and Conti indicators. Use threat intel to update detection rules for new ransomware variants.
Network Segmentation and Least Privilege: Architect your network so that an infection in one segment (e.g. user LAN) cannot easily spread to servers or OT systems. Implement strong firewall rules between departments. Enforce least-privilege on accounts and use MFA on all remote-access and privileged admin accounts. The Colonial Pipeline attack underlined the need to isolate critical OT networks from IT networkscisa.gov.
User Awareness Training: Educate all employees on phishing and social engineering. Simulated phishing exercises help users recognize malicious emails. CISA emphasizes that “good cyber hygiene” – like training staff to spot phishing and suspicious links – greatly reduces initial access riskflashpoint.io csrc.nist.gov.
Incident Response Planning: Develop and regularly test a ransomware-specific incident response (IR) plan. Identify legal/regulatory requirements for data breaches, and ensure you have IR team contacts ready (including law enforcement and external forensics experts). Define roles (IT, PR, legal) and communication procedures. NIST and CISA recommend rehearsing scenarios and decision trees so that, if hit, your team can act decisively.

Implementing these measures creates layers of resilience. No single control is foolproof, but together they make a ransomware attack much more difficult and less damaging. As the StopRansomware guidance puts it, “Apply these tips and practices to avoid attack” – including vulnerability scanning, patching, backups, and reporting incidents earlycisa.gov cisa.gov.

Summary Table of Ransomware Types

The table below summarizes common ransomware categories, their methods, and examples:

Type	Characteristics	Examples / Notes
Crypto-ransomware	Encrypts user files/data with strong ciphers, demanding decryption payment	WannaCry, Ryuk, Megacortexflashpoint.io cisa.gov
Locker-ransomware	Locks system or applications (no file encryption) to extort victim	Early Android lockscreens; Petya (MBR locker)
RaaS (Affiliate)	Ransomware sold/leased to affiliates; broadens attacker pool	DarkSide, Revil, LockBitpaloaltonetworks.com sentinelone.com
Leakware/Doxware	Exfiltrates data and threatens public release if ransom is unpaid	Maze, Conti, Egregor
Scareware	False alerts/tech-support scams that extort money without encryption	Fake AV, “Your computer is infected” pop-ups

Table: Key ransomware types, their modus operandi, and representative examplespaloaltonetworks.com paloaltonetworks.com.

Understanding these categories and their tactics (mapped in frameworks like MITRE ATT&CK) helps organizations tailor defenses. For example, guarding against Data Encrypted for Impact (ATT&CK T1486) means monitoring for encryption tools and disabled backups, while guarding against Initial Access (ATT&CK T1566) means phishing defenses and trainingcisa.gov learn.microsoft.com.

By combining technical defenses (EDR/XDR, logging, Sigma rules) with good security practices (backups, patching, training), organizations can detect, stop, or mitigate ransomware before it causes irreversible damage. As the saying goes: if data is properly backed up and segmented, a ransom payment becomes unnecessary. Stay vigilant, keep systems updated, and empower your security team with the right tools and intelligence to outpace the ransomware threatcisa.gov crowdstrike.com.

Sources: Authoritative cybersecurity guidance and research (CISA, NIST, MITRE ATT&CK, vendor reports) have been used throughoutcisa.gov cisa.gov justice.gov paloaltonetworks.com crowdstrike.com to ensure technical accuracy and currency.

Citations