Ransomware: How it Works & How to Remove It | SentinelOne

What is Ransomware?


Even as recently as a decade ago, ransomware attacks were considered predominantly to be a cybersecurity problem; while most disruptive from a data loss perspective, they didn’t necessarily spell doomsday for targeted businesses. However, as malicious threat actors grew in sophistication and efficacy and ransoms grew more profitable, ransomware became a more imposing threat to organizations, with implications reaching beyond information security to governance, operations, finance, customer and public relations, and more.

Today, the heightening popularity of ransomware and its potential for damage (from school shutdowns to compromised critical infrastructure to interruptions in healthcare delivery) has stirred broader, arguably overdue conversations on how to combat this globally pervasive threat.

With that said, protecting against—and ultimately defeating—ransomware starts with understanding what it is, how and why it’s evolving, and what measures your organization can take to stop it.

What Is Ransomware?

Ransomware is a form of malicious software (malware) that leverages data encryption to extort organizations for substantial ransoms that, once paid, will theoretically restore access to and/or unencrypt affected data using a decryption key. Ransomware often gets an initial foothold in an organization’s environment when a user engages with a social engineering tactic such as a phishing email or watering hole attack (more on that below).

In the case of most ransomware attacks, the encryption restricts access to critical files, systems, and applications, and refusal or failure to pay the demanded amount may result in permanent blockage of those assets, or leakage of valuable data to the cybercriminal underworld. Commonly accepted forms of ransomware payment include cryptocurrency, credit card payments, and wire transfers.

Given threat actors’ overarching, lucrative success thus far, ransomware attacks have become the most ubiquitous and financially and informationally impactful cyber threat to enterprises and agencies today. In 2020 alone, the United States Federal Bureau of Investigation (FBI)’s Internet Crime Complaint Center (IC3) estimated that combined losses from ransomware attacks—based on only those reported to the IC3—totaled $30 billion. Within the last year alone, ransomware demands in the United States and Canada tripled in size, from $450,000 to $1.2 million on average. These numbers have continued to rise year over year as ransomware attacks grow in sophistication and scale.

How Does Ransomware Work?

Ransomware isn’t especially complicated to code. The encryption functions exist natively on both Windows and Unix-based machines like macOS and Linux. Some attackers choose to package their own encryption framework to avoid detection by AV software, but there are plenty of open source projects for attackers to choose from. What’s more, with the appearance of Ransomware-as-a-Service such as SMAUG RaaS and Shifr Raas, attackers can simply buy off-the-shelf malware to distribute to victims. Reports indicate that portals for these services are proliferating and accessible to less-sophisticated hackers.

Once an attacker has a ransomware project, they only need to decide how to distribute it. As with other forms of malware, typical infection vectors rely on socially engineering victims into downloading an infected file from a website or via a phishing email. Often, an MS Office attachment or a malicious PDF file is used which, upon being opened, executes hidden code that in turn downloads the malware payload. In other cases, the ransomware could be the payload delivered by a script on a maliciously-crafted website or downloaded by a fake software installer.

It’s important to note that once the victim has opened the malicious file and given authorization, everything else happens invisibly behind the scenes. The unsuspecting victim may not know for some minutes, hours or even days that they have been infected, depending on when the malware is coded to trigger the encryption and announce its presence.

In the first-ever recorded case of ransomware, the program was not set to activate until the victim’s machine had been booted 90 times. Creating a delay between infection and encryption is intended to help cover the attacker’s tracks and make it harder for security researchers to find the infection vector. Criminals are usually in it for the long haul and don’t mind waiting for the payday if it helps ensure greater returns.

However, not all ransomware requires user interaction. The SamSam ransomware that was prevalent in 2016 targeted weak passwords on connected devices once it got a foothold on an initial device. A zero-day vulnerability in the popular Oracle WebLogic Server allowed attackers to send ransomware directly to computers and execute itself without any user interaction at all.

What is Ransomware-as-a-service (RaaS)?

Ransomware-as-a-service is a business model in which ransomware developers sell fully-baked ransomware variants to even non-technical buyers at either a flat rate or a share of their profits, equipping them to launch ransomware attacks without any significant skill or resource requirement. These transactions are often marketed and executed on the dark web.

Ransomware developers benefit from the RaaS model because they do not need to directly concern themselves with either the risk or the trade-craft of finding and infecting targets. This division of labor and craft means that criminals with different skill sets and expertise can combine their efforts, making attacks and RaaS kits more efficient and profitable.

While RaaS is not a new delivery model, it has steadily risen in popularity given the overall prevalence and “success” of recent ransomware attacks, small up-front cost relative to a possible return, and the expanding availability and quality of ransomware developers in the RaaS market.

Ransomware in the News: Recent Examples

There is no shortage of recent case studies on ransomware and its impact on organizations, industries, and economies across the globe. Fortunately, as threat actor groups evolve in their motivations and techniques, so can our knowledge and understanding of how to overcome them. Particularly relevant and educational examples of recent ransomware attacks include:

  • Rise of Conti Ransomware Provokes FBI Flash Report: In May 2021, the FBI issued a notable Flash Report warning organizations of the growing threat of Conti ransomware; by July 2021, Conti had leaked more organizational data (in GBs) than any other ransomware group since the start of 2021.
  • The Surge of REvil Ransomware and the Kaseya Supply Chain Attack: The largest mass-scale ransomware incident to date occurred in July 2021, during which a zero-day exploit was leveraged to deliver REvil to thousands of corporate endpoints with the promise of universal decryption at the mere sum of $70 million.
  • DarkSide Ransomware and the Colonial Pipeline Attack: May 2021 saw one of the most disruptive and sobering ransomware attacks to date, with DarkSide shutting down a critical infrastructure system in the United States for several days and causing tangible downstream impacts on fuel prices.
  • The Wide-Reaching Impact of Ryuk Ransomware: From August 2018 to late 2020, the Ryuk ransomware family wreaked havoc on high-profile industries, from newspapers to large hospital systems, demanding large sums of bitcoin for decryption.

To gain deeper insight into emerging ransomware attacks and to learn how to keep your organization protected, read SentinelOne’s WatchTower Monthly Threat Hunting Digest, or for Singularity Complete customers, receive in-console Signal threat intelligence flash reports that are published as new ransomware variants arise.

7 Common Ways Ransomware is Spread

Understanding how ransomware infects a device and spreads across a network is crucial to ensuring that your organization does not become the next victim of an attack. Below are seven common ways ransomware is spread.

7 Common Ways Ransomware Can Infect Your Organization
Don't let your organization become the next victim of a ransomware attack. Learn the most common ways ransomware is distributed.

1. Breaches Through Phishing and Social Engineering

Still the most common method for hackers to initially infect an endpoint with ransomware is through phishing emails. Increasingly targeted, personalised and specific information is used to craft emails to gain trust and trick potential victims into opening attachments or clicking on links to download malicious PDF and other document files. These can look indistinguishable to normal files, and attackers may take advantage of a default Windows configuration that hides the file’s true extension. For example, an attachment may appear to be called ‘filename.pdf’, but revealing the full extension shows it to be an executable, ‘filename.pdf.exe’. 

Files can take the form of standard formats like MS Office attachments, PDF files or JavaScript. Clicking on these files or enabling macros allows the file to execute, starting the process of encrypting data on the victim’s machine.

2. Infection via Compromised Websites

Not all ransomware attacks have to be packaged in a maliciously-crafted email. Compromised websites are easy places to insert malicious code. All it takes is for an unsuspecting victim to visit the site, perhaps one they frequent often. The compromised site then reroutes to a page that prompts the user to download a newer version of some software, such as the web browser, plugin, or media player.

Web redirections like this are particularly difficult for users to spot without digging into the code underneath every site they visit.

If the site has been primed to deliver ransomware, the malware could be either activated directly or more commonly run an installer that downloads and drops the ransomware.

3. Malvertising and Breaching The Browser

If a user has an unpatched vulnerability in his or her browser, a malvertising attack can occur. Using common advertisements on websites, cybercriminals can insert malicious code that will download the ransomware once an advertisement is displayed. While this is a less common ransomware vector, it still poses a danger since it doesn’t require the victim to take any overt action such as downloading a file and enabling macros.

4. Exploit Kits That Deliver Custom Malware

Angler, Neutrino, and Nuclear are exploit kits that have been widely used in ransomware attacks. These frameworks are a type of malicious toolkit with pre-written exploits that target vulnerabilities in browser plugins like Java and Adobe Flash. Microsoft Internet Explorer and Microsoft Silverlight are also common targets. Ransomware like Locky and CryptoWall have been delivered through exploit kits on booby-trapped sites and through malvertising campaigns.

5. Infected Files and Application Downloads

Any file or application that can be downloaded can also be used for ransomware. Cracked software on illegal file-sharing sites are ripe for compromise, and such software is as often as not laden with malware. Recent cases of MBRLocker, for example, took this route. There is also potential for hackers to exploit legitimate websites to deliver an infected executable. All it takes is for the victim to download the file or application and then the ransomware is injected.

6. Messaging Applications As Infection Vectors

Through messaging apps like WhatsApp and Facebook Messenger, ransomware can be disguised as scalable vector graphics (SVG) to load a file that bypasses traditional extension filters. Since SVG is based on XML, cybercriminals are able to embed any kind of content they please. Once accessed, the infected image file directs victims to a seemingly legitimate site. After loading, the victim is prompted to accept an install, which if completed distributes the payload and goes on to the victim’s contacts to continue the impact.

7. Brute Force Through RDP

Attackers use ransomware like SamSam to directly compromise endpoints using a brute force attack through Internet-facing Remote Desktop Protocol (RDP) servers. RDP enables IT admins to access and control a user’s device remotely, but this also presents an opportunity for attackers to exploit it for malicious purposes.

Hackers can search for vulnerable machines using tools like Shodan and port scanners like Nmap and Zenmap. Once target machines are identified, attackers may gain access by brute-forcing the password to log on as an administrator. A combination of default or weak password credentials and open source password-cracking tools such as Aircrack-ng, John The Ripper, and DaveGrohl help achieve this objective. Once logged on as a trusted admin, attackers have full command of the machine and are able to drop ransomware and encrypt data. They may also be able to disable endpoint protection, delete backups to increase likelihood of payment or pivot to achieve other objectives.

How Do I Stay Protected Against Ransomware?

It takes a comprehensive approach to stay protected, including endpoint protection, detection and response. A ransomware warranty is an important part of a strong strategy to protect your business.

Protection of Common Ransomware Attack Vectors

Understanding how ransomware infects and spreads can help you circumvent its downstream impacts and losses. Following initial infection, ransomware can spread to other machines or encrypt network-attached storage (NAS) filers in the organization’s network. In some cases, it can spread across organizational boundaries to infect supply chains, customers, and other organizations.

Before ransomware has a chance to proliferate in your environment, we recommend auditing and strengthening the following vectors commonly taken advantage of in ransomware attacks:

  • Phishing Emails
  • Compromised Websites
  • Malvertising
  • Exploit Kits
  • Downloads
  • Messaging Applications
  • Brute Force via RDP

In many of these scenarios, internal security training of your workforce and adherence to security best practices can go a long way to reinforce your first line of defense and reduce your attack surface. This extends to diligent upgrading, patching, and maintenance of your assets and systems, and the adoption of enhanced email security measures.

Endpoint Protection, Detection, and Response Against Ransomware

There may come a time when a ransomware threat bypasses these first lines of defense, requiring you to identify, contain, and even kill malicious behaviors acting on user machines and devices. This is where an endpoint protection, detection, and response strategy comes into play.

Modern Extended Detection and Response (XDR) solutions monitor local processes in real time and analyze their behaviors in detail, making it possible to identify malicious code with very high specificity and take immediate mitigation steps. An advanced XDR solution such as the SentinelOne Singularity platform takes this one step further by leveraging static and behavioral AI models—informed by ongoing threat intelligence into modern ransomware campaigns—to pinpoint abnormal activity and patterns that may be indicative of ransomware’s presence.

From there, an advanced XDR solution can neutralize the ransomware threat by deleting the code’s source, killing all relevant processes, quarantining suspicious files, or disconnecting the afflicted endpoint from the network altogether, depending on circumstance and organizational policies.

Ransomware Warranties and Proactive Protection Measures

While the above protection strategies will undoubtedly reduce your exposure to ransomware and minimize its ability to spread within your network, there is no such thing as guaranteed impenetrability. For this reason, there are other safeguards you can put in place for greater peace of mind against ransomware:

  • Ransomware warranties, often offered by your EPP and XDR vendor, help cushion the blow of ransomware attacks by reimbursing you for the cost of paid ransoms resulting from any potential technology failures.
  • Further safeguard your assets from spreading ransomware by enforcing more frequent and stringent data protection measures, from tightening access policies to creating a regular cadence of data backups.
  • Stay apprised of the evolving ransomware landscape, and leverage this threat intelligence to close gaps, remediate risks, and even hunt for the presence of ransomware-related Indicators of Attack (IOAs).

How Do I Remove Ransomware?

A crucial part of ransomware response and cleanup is turning back the clock and restoring all assets and configurations to their original state before the attack. This critical step enables rapid recovery and helps your business return to normal, continuous operations, regardless of the scale or depth of the attack’s fallout.

Previously unknown ransomware or new attack tactics might not get caught and blocked automatically by detection engines, so undoing their actions is the only safeguard left. It’s important to note that the danger of ransomware is not limited to encrypted or deleted files; it can also change access permissions and security configurations that malicious actors can take advantage of in subsequent attacks.

Automatic reversion of all changes executed by malicious or suspicious code, no matter how small, gives administrators a safety net, protecting you and the entire domain from the potential chain effects of ransomware. Your XDR solution should be able to roll back any affected files that were encrypted to a previously-sound state, relieving you from the tedium of restoring from external backup solutions or fully re-imaging systems.

Finally, it is wise to ensure the proper cleanup and recovery from ransomware, with no stone left unturned. You may consider engaging incident responders to help perform and guide the cleanup process and report back their findings in detail, or order a comprehensive compromise assessment of your organization—you can think of it as a full-body scan—to accurately capture and document your security posture following a potential ransomware incident.

Schedule A Demo
SentinelOne encompasses AI-powered prevention, detection, response and hunting. Set up a ransomware demo.