How Ransomware Attacks
What defenders should know about the most prevalent and persistent malware families Ransomware’s behavior is its Achilles’ heel, which is why Sophos spends so much time studying it. In this report, we’ve assembled some of the behavioral patterns of the ten most common, damaging, and persistent ransomware families. Our goal is to give security operators a guideline to understand the core behaviors that underlie ransomware attacks, which we also use to convict ransomware with Sophos’ behavioral engine, Intercept X.
Most blogs or papers about crypto-ransomware typically focus on the threat’s delivery, encryption algorithms and communication, with associated indicators of compromise (IOCs). This research paper takes a different approach: an analysis of the file system activity or behaviors of prominent crypto-ransomware families (hereafter, simply called ransomware). Ransomware creators are acutely aware that network or endpoint security controls pose a fatal threat to any operation, so they’ve developed a fixation on detection logic.
Modern ransomware spends an inordinate amount of time attempting to thwart security controls, tilling the field for a future harvest. It’s a lot easier to change a malware’s appearance (obfuscate its code) than to change its purpose or behavior, and ransomware always shows its tell when it strikes. The increasing frequency with which we hear of large ransomware incidents indicates that the code obfuscation techniques ransomware now routinely employs, such as the use of runtime packers, must continue to be fairly effective against some security tools, otherwise the ransomware makers wouldn’t use them. It’s important to recognize there’s hope in this fight, and a number of ways admins can resist: Windows 10 Controlled Folder Access (CFA) whitelisting is one such way, allowing only trusted applications to edit documents and files in a specified location. But whitelisting isn’t perfect – it requires active maintenance, and gaps or errors in coverage can result in failure when it’s most needed.
