Anatomy of a Ransomware Attack - what exactly happens?

January 18, 2017 by Kathrin Brekle

2016 was the year of blackmail ransomware.  Data is encrypted by smuggling malicious programs into the system that has an infection and making them useless.  Only after payment of "ransom" money the data is usable again.

Blackmail Ransomware

This kind of blackmail is not new.  Back in 1989, the Trojan "AIDS.exe" was able to hide files and by this way making them unusable.  However, the program changed only the file names while the contents remained unchanged.  This fact changed in 2008, when the malicious programs began to encrypt the file contents.  Without the correct key, rescuing the data is impossible.  The problem was then - as with "real" abductions - the surrender of the ransom.  This in turn changed in 2013.  With Bitcoin as a means of payment, the flow of money was no longer traceable and the success of the malicious software was unstoppable.

The malware spread quickly with the help of advertising banners and websites that had contamination.  The use of email attachments, in addition to the classic method of the "lost" USB stick left in the parking lot or restroom, which had a malicious program and would infect the computer.

Ransomware Program Improvement

In the meantime, the programs have greatly improved and the selection of victims has changed.  In the past there was a tendency to increase the quantity of victims with low demands for ransom allowances, which contributed to a nice sum.  Meanwhile, middle and upper management were a target.  With the help of spear phishing, CEOs are targeted and spied on.  The emails are written in such a way that the addressee has to assume that they come from a well-known and high-ranking person, typically from the same company.  When opening the attachment, the victim is to click on a link that starts a larger action in the background. The malware then loads and starts.


After the installation the program contacts one or more so-called Command and Control (C & C) servers.  From there, the most modern hacker tools are loaded onto the infected computer, which nests inside the system and ensures that even in the case of an immediate disconnection of the device from the network (which could still inhibit the encryption of the data in case of older malicious programs), the malicious program will work again after a restart of the computer.

And then...

A part of the malware quietly nests inside the auto start folder, while another part takes its “care” of the registry.  Subprograms try to get into the company network, which promises more success since here the victims could have higher access rights than "normal" employees.  What it means, if such a program is able to spread over the company network, is easily imaginable.

Modern blackmail software is particularly designed for the attack of backup media.  These are the first targets because with the help of a timely backup, most problems caused by the taking data hostage can be bypassed.  Therefore, the malware software ensures that even the files of a backup are no longer usable.


All this happens in the dark.  Before the end of the infiltration process, no one should ever suspect that there is a danger coming.  When all preparations are made, the data is encrypted and the ransom demand is displayed on the screen of the infected computer.  The required sum is calculated as far as possible  from accounting information on the company's sales; it is often in the five- or six-digit range.

How successful is it?

The success rate is alarmingly high.  A survey conducted by Osterman Research in the U.S., Canada, U.K., and Germany shows that of the 540 companies interviewed, almost 40% had problems with ransomware.  More than a third of these had lost sales, while 20% were ruined by data loss!

If you would like to see what an accurate and detailed picture of an attack from CryptoWall 3.0 (CW3),  one of the latest and most dangerous blackmail programs looks like, SentinelOne has a very good article describing the process.