Get Free Information Around Information Security &
The Latest News in Cybersecurity Right to Your Inbox

What is Ransomware? The Ransom-Based Malware Demystified

By SentinelOne -

In many information security publications, ransomware is mentioned with the same kind of horrified reverence as terrors such as climate change, Ebola, or the Death Star—to whit, a terrifying enigma with world-devastating implications. Much of the fear is visceral, however. Experiencing a traditional data breach is a lot like getting home to find that someone has copied all of your DVDs. When you’ve experienced a ransomware attack, you’ve either lost money, or irreplaceable data.

Thinking logically however, enterprises aren’t much more or less likely to experience attacks than they were before. More to the point, the ransomware that’s coming out nowadays isn’t even that much more sophisticated than the garden-variety malware that came before it. We’ve already covered how most ransomware variants aren’t that different from one another—now let’s talk about the very few ways in which what is ransomware now, differs from other forms of malicious code.

Ransomware Still Isn’t That Different from Ordinary Malware

What is ransomware and what does have in common with every single other kind of virus? It has the need to hide itself from detection. Nearly every kind of malware does this partially by encryption—this can confuse signature detection because instead of seeing the malicious executables, they just find random strings of alphanumeric text. Most antivirus programs now know how to look for these strings of text—hashes—but it is very easy for malware programmers to alter the underlying substructure of their files in order to make that hash appear different.

Other detection-avoidance routines include:

Timing: If an endpoint detection system doesn’t possess continuous monitoring capabilities, malware with timing-based obfuscation can run circles around it. This kind of malware is only designed to run when absolutely necessary, such as after a user reboots their computer, in order to avoid operating simultaneously with a malware scan.

Communications: Malware is basically built to steal data—which means that malware designed in this way must usually “phone home” to its makers. Antivirus programs will look for programs that communicate with certain servers, domains, and IP addresses which are known to host command and control servers for given types of malware. By rotating these addresses, malware can evade antivirus programs which are programed to look only for a small range of C&C servers at a given time.

Awareness: Here’s an idea—why spend all the time and trouble to evade signature detection, when you can prevent researchers from making a signature in the first place? Many malware tools have specific sensors that allow them to detect whether they’re in a virtualized environment, allowing them to either evade honeypots, or thwart security researchers from unpacking their components.

Ransomware does not substantially deviate from using these methods. String obfuscation is a relatively advanced method of encryption that is found in a lot of garden-variety malware, and also in ransomware such as CryptXXX. Other variants use less sophisticated encryption strategies—.CRYPTED uses a version of a XOR cipher, a technique that’s been in use since the Cascade virus in 1986. The Cryptowall ransomware has rudimentary sensors to detect whether it’s in a virtual environment. Essentially, none of these ransomware programs are particularly different from malware in their obfuscation efforts.

The real difference, of course, is payload. Ransomware is designed to do novel things, like (obviously) encrypting large amounts of files, deleting the Shadow Copies that allow users to restore from backup, and using C&C servers to store the encryption keys that allow users to unlock their files after they’ve paid up.

All of those actions, however, are behavioral mechanisms. Signature-based antivirus doesn’t look for behavior—rather, it seeks out identifiable characteristics of malware, such as the names of running processes, the hashes of encrypted files, or the servers that the malware phones home to. These characteristics are easy to mask, as we’ve just shown, and once ransomware begins to take action, there’s no way for signature-based malware to know that bad things are happening.

The difference between what is ransomware and what is malware isn’t that significant—one isn’t even much more dangerous than the other—but the immediate aftereffects of a ransomware attack are a lot more shocking. Don’t get shocked. Check out our full guide to ransomware attacks, and learn how to protect yourself and your organization against this burgeoning threat.

What's New


90 Days: A CISO’s Journey to Impact

We have partnered with some of the most successful CISOs to create a blueprint for success


SentinelOne H1 2018 Enterprise Risk Index

Our research team closely monitors all SentinelOne endpoints for insights

Live Demo

Endpoint Protection Platform Free Demo

Interested in seeing us in action? Request a free demo and we will follow up soon