A Look Inside a Ransomware Attack


Ransomware is one of the most serious cybersecurity threats that organizations face today. According to the quarterly Cybercrime Tactics and Techniques Report from Malwarebytes Labs, the number of detected ransomware attacks on businesses increased 88 percent in the third quarter of 2018. While overall ransomware attacks have trended downward over the past year, security researchers have identified almost 40 new ransomware families, as well as updates to existing families that make them more dangerous.

While the “payloads” of ransomware families vary, almost all encrypt the data on a victim’s device and demand a payout, usually in Bitcoin, in exchange for the decryption key. If the fee isn’t paid by a specified deadline, the victim will not be able to recover the data.

Ransomware is commonly distributed via malicious email attachments as well as “drive-by” downloads that occur when a user visits an infected website. Traditional signature-based antivirus solutions are ineffective at detecting ransomware given its constantly evolving nature and large number of variants.

Though there is no guarantee criminals will decrypt data after receiving payment, 53 percent of business executives surveyed by Merrill Research reported paying ransom after an attack. The survey also noted that ransomware is on the rise; 69 percent of executives said their organizations faced an attack in the past year, compared to just 14 percent in 2016.

CyberArk Labs studied the behavior of ransomware and found that most families have similar workflows. For 90 percent of the samples analyzed, the first step was to attempt to connect to a key server that contained the unique public key used to encrypt the files on an infected device. The remaining 10 percent of the samples embedded the unique public key within the malware itself.

If the malware was unable to establish a connection with the key server, it typically used a default public key. However, this approach is less effective because a victim could potentially use an available key to decrypt the files. In addition, 20 percent of samples failed if a connection could not be established. Limiting the malware’s ability to establish an outside connection could minimize the severity of an attack or thwart it outright.

After obtaining the key, the ransomware began looking for specific types of files, including Microsoft Office, Adobe, image, and source code files. Some families did this methodically and encrypted the data immediately, a process that could be completed within minutes or even seconds. Other strains chose files at random to evade detection and took longer to complete the process.

While that was going on, the malware attempted to spread to network drives and other connected machines to which the infected device had access. Once the encryption was complete on a device, a ransom notice was presented to the victim.

CyberArk found that most ransomware families do not require local administrator rights on a machine in order to execute. Researchers also noted that ransomware files are easy to locate and remove, unlike other forms of malware. A victim with a current backup could clean up an infected machine and restore the encrypted data with fairly limited impact.

In our next post, we’ll discuss strategies for reducing the risk of a ransomware attack and how Clango and CyberArk can help.


For more information about protecting your organization from ransomware attacks, please send us an email at (

Comments Closed.