Ransomware

One-liner: Malware that encrypts files or locks systems and demands payment for restoration.

🎯 What Is It?

Ransomware is malicious software that prevents users from accessing their systems or data by encrypting files or locking the screen, then demanding a ransom (typically in cryptocurrency) for decryption keys. It's one of the most financially damaging cyber threats.

🔐 Types of Ransomware

1. Crypto Ransomware (File Encryption)

Encrypts files and demands payment for decryption key.

Examples:

• WannaCry (2017) — Used EternalBlue exploit
• ALPHAV / BlackCat — Rust-based, cross-platform
• Locky — Distributed via phishing emails
• CryptoLocker (2013) — First major crypto ransomware

Behavior:

1. Infection (email, exploit, RDP)
2. Privilege escalation
3. Disable backups / shadow copies
4. Encrypt files (.doc, .pdf, .jpg, databases)
5. Drop ransom note (README.txt, HOW_TO_DECRYPT.html)
6. Demand payment (Bitcoin, Monero)

2. Locker Ransomware (Screen Lock)

Locks the entire system, preventing access.

Examples:

• Police Locker — Fake law enforcement warning
• WinLocker — Locks Windows login

Less common since crypto ransomware is more effective.

3. Double Extortion

Encrypts AND exfiltrates data, threatening to leak it.

Examples:

• Maze (first double extortion, 2019)
• REvil / Sodinokibi
• Conti

Tactic:

Encrypt files + Steal sensitive data + Threaten public leak

Victim must pay to:

1. Get decryption key
2. Prevent data leak

4. Ransomware-as-a-Service (RaaS)

Ransomware sold/rented to affiliates (profit-sharing model).

Examples:

• REvil — Affiliates get 70-80% of ransom
• LockBit — Automated attack platform
• DarkSide — Attacked Colonial Pipeline (2021)

Business Model:

Developer creates ransomware → Affiliate deploys it → Split ransom

⛓️ Ransomware Kill Chain

1. Initial Access
   • Phishing emails with malicious attachments
   • EternalBlue)
   • [[Brute-force]] RDP credentials
   • Compromised websites (drive-by download)

2. Execution
   • Macro-enabled Office docs
   • HTA files
   • JavaScript downloaders

3. Persistence
   • Registry keys (Run, RunOnce)
   • Scheduled tasks
   • [[Rootkits]]

4. Privilege Escalation
   • Exploit local vulnerabilities
   • Credential theft ([[NTLM]])

5. Defense Evasion
   • Disable antivirus
   • Delete shadow copies: `vssadmin delete shadows /all`
   • Stop backup services

6. Lateral Movement (for targeted attacks)
   • Spread via network shares (SMB)
   • Use Lateral Movement techniques

7. Impact
   • Encrypt files with strong crypto (AES + RSA)
   • Delete backups
   • Drop ransom note

🔍 Detection Indicators

Behavioral IOCs

• Mass file modifications — Sysmon Event ID 11 - File Create spike
• Shadow copy deletion — vssadmin.exe delete shadows
• Backup service termination — Killing SQL, Exchange, VSS services
• Unusual encryption processes — High CPU + file I/O
• Suspicious file extensions — .encrypted, .locked, .wncry
• Ransom notes — README.txt, HOW_TO_DECRYPT.html

Sysmon Detection Example

Process: vssadmin.exe
CommandLine: delete shadows /all /quiet

Process: wbadmin.exe  
CommandLine: delete catalog -quiet

Process: bcdedit.exe
CommandLine: /set {default} recoveryenabled No

Network IOCs

• C2 communication to fetch encryption keys
• Data Exfiltration (for double extortion)
• Tor traffic (ransom payment instructions)

🛡️ Prevention & Mitigation

1. Backups (3-2-1 Rule)

3 copies of data
2 different media types
1 offsite/offline backup

2. Email Security

• Email Gateway with attachment scanning
• Block macros in Office docs
• User training on [[Phishing]]

3. Patch Management

• Patch CVE-2017-0144 (EternalBlue)
• Keep OS and software updated

4. Endpoint Protection

• EDR solutions
• Behavior-based AV
• Software Restriction Policies

5. Network Segmentation

• Limit [[Lateral Movement]]
• Isolate critical systems

6. Least Privilege

• Don't run as admin
• Restrict file share access

7. Monitor for Indicators

• Sysmon Event ID 11 - File Create mass changes
• Shadow copy deletion alerts
• Unusual encryption processes

📊 Notable Ransomware Attacks

💸 Ransom Payment Considerations

Should You Pay?

Arguments Against:

• No guarantee of decryption
• Funds criminal enterprises
• Encourages more attacks
• May violate sanctions (OFAC)

Reality:

• 40-60% of victims pay
• 20% who pay don't get working decryption
• Average ransom: $200K - $2M (2023)

If You Must Pay

1. Engage ransomware negotiation firm
2. Document everything (legal, insurance)
3. Report to FBI (IC3.gov)
4. Get legal advice (sanctions compliance)

🎤 Interview Angles

Q: How would you detect ransomware in your environment?

STAR Example:
Situation: Need to detect ransomware before mass encryption.
Task: Build early-warning detection.
Action:

• Created Sysmon rule for shadow copy deletion (vssadmin delete shadows)
• Alerted on mass file modifications via Sysmon Event ID 11 - File Create
• Monitored for backup service termination
• Set up EDR behavioral rules for suspicious encryption activity
  Result: Detected ransomware 4 minutes after initial execution, before encryption spread beyond 1 host.

Q: What's the best defense against ransomware?

• Backups — 3-2-1 rule with offline/offsite copies
• Patch management (especially SMB vulnerabilities)
• Email filtering and user training
• EDR with behavioral detection
• Network segmentation to limit spread

Q: What's double extortion?

• Attacker encrypts files AND steals sensitive data
• Threatens to publicly leak data if ransom not paid
• Started with Maze ransomware (2019)
• Forces victims to pay even if they have backups

🔗 Related Concepts

• Malware Analysis — Analyzing ransomware samples
• WannaCry — Famous 2017 outbreak
• [[EternalBlue]] — Exploit used by WannaCry
• Sysmon Event ID 11 - File Create — Detects mass file changes
• Data Exfiltration — Double extortion tactic
• Incident Response — Responding to ransomware