Detecting Ransomware – The Good, the Bad, and the Unknown

Ransomware has become one of the most widespread and damaging threats that businesses or organisations face.

Since CryptoLocker first appeared in 2013, there has been an ever-increasing number of file-encrypting Ransomware variants commonly delivered through attachments from spammed e-mail, downloaded from malicious pages through malvertisements, or dropped by exploit kits onto vulnerable systems. The current wave of Ransomware shares a common goal – to extort money from victims through intimidation. 

The rise of ransomware can be attributed to its undeniable success. Variants such as ‘CryptoLocker’, earned an estimated $3m before it was taken down by authorities [1], and ‘CryptoWall’, which has been estimated to have accumulated over $325m in payments [2].

Ransomware criminal

The damage of becoming a ransomware victim and not having effective safeguards and prevention strategies in place is considerable and at times, potentially life threatening. as seen recently when a US based hospital had its computer systems infected [3]. 

Like others before it, this infection started with a seemingly routine email but contained a malicious attachment, upon execution, all the hospitals files, including patient data was encrypted. In the end, the hospital was required to pay the $17,000 ransom in order to regain access [4].

Ransomware technologies

Ransomware uses asymmetric encryption to hold a victim’s information at ransom. Asymmetric (public-private) encryption generates pair of keys is used to encrypt and decrypt a file. The public-private pair of keys is uniquely generated by the attacker for the victim with the private key to decrypt the files stored on the attacker’s server.

Variants of the malware will look for files with specific file extensions to encrypt on network shares even when they are not mapped to a local drive. For example, the Locky variant will look for dozens of file types, such as:

.mid, .wma, .flv, .mkv, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .qcow2, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .tar.bz2, .tbk, .bak, .tar, .tgz, .rar, .zip, .djv, .djvu, .svg, .bmp, .png, .gif, .raw, .cgm, .jpeg, .jpg, .tif, .tiff, .NEF, .psd, .cmd, .bat, .class, .jar, .java, .asp, .brd, .sch, .dch, .dip, .vbs, .asm, .pas, .cpp, .php, .ldf, .mdf, .ibd, .MYI, .MYD, .frm, .odb, .dbf, .mdb, .sql, .SQLITEDB, .SQLITE3, .asc, .lay6, .lay, .ms11, .sldm, .sldx, .ppsm, .ppsx, .ppam, .docb, .mml, .sxm, .otg, .odg, .uop, .potx, .potm, .pptx, .pptm, .std, .sxd, .pot, .pps, .sti, .sxi, .otp, .odp, .wks, .xltx, .xltm, .xlsx, .xlsm, .xlsb, .slk, .xlw, .xlt, .xlm, .xlc, .dif, .stc, .sxc, .ots, .ods, .hwp, .dotm, .dotx, .docm, .docx, .DOT, .max, .xml, .txt, .CSV, .uot, .RTF, .pdf, .XLS, .PPT, .stw, .sxw, .ott, .odt, .DOC, .pem, .csr, .crt, .key, wallet.dat

Any data stored in these files will encrypted and unusable until the ransom is paid.

Over time ransomware variants are becoming more sophisticated, the most notable new technologies include:

  • Deletion of Shadow copies to ensure that data cannot be restored from backups;
  • Use of crypto currencies such as Bitcoin to establish an anonymous method of receiving payments;
  • Use of the Tor Network to hide Command and Control channels and reducing the chance of attacker infrastructure being located;
  • Polymorphic attacks whereby the malware server morphs the payload often (In some cases every 15 seconds) to generate unique hashes;
  • Inclusion of credential and password stealers;
  • Dropping “autorun.inf” on all attached removable drives introducing worm like capabilities to spread;
  • Ransomware-as-a-Service (RaaS) allowing for anyone to set up a campaign and earn a percentage of the profits.

Defending Against Ransomware

Common methods to prevent infection include filtering e-mails that contain malicious attachments or enforcing user permissions. While blocking known attacks works to prevent a high number of infections – it is not possible to block all variants, attackers are always one step ahead.

With this limitation, it is essential to employ security solutions that are first able to detect ransomware when it lands and second provide an effective method to defend against its malicious actions.

How can a business protect itself?


An effective way to detect a ransomware threat is through the use of anomaly based threat detection. Such system will detect ransomware at three important stages:

  • Initial Download – Ransomware commonly connects to an external domain to download the executable file.
  • Command and Control Communication – Ransomware firstly requires initial communication to request and send encryption keys. When a device connects to an uncommon location this will be flagged.
  • SMB Writes – The encryption process will overwrite files causing lots of noise in SMB traffic.

By flagging for such events and observing for this these type of behaviours it is possible to identify an infection and restrict the amount of damage it is able to do.


Integration of a reliable endpoint solution can stop a threat from ever being able to execute.

An important first step is to step away from traditional solutions which only rely on whether a file is known good or has previously been flagged as bad. Solutions no longer rely on this approach to detecting Ransomware. In addition to known good and known bad, they utilise an additional “unknown” category, for detecting advanced threats that have never previously been seen, and bypass traditional tools.

An endpoint solution that runs as a kernel level driver, is able to monitor all the input and output of applications as they run. With this in mind, if suspicious behaviour is detected it can be blocked therefore stopping malicious activities from occurring.

Another approach is use of journaling or rollback features. If a file is unknown the file is only allowed limited processing and monitoring and journaling features are activated:

  • Each unknown file is monitored and all of its actions including file changes, registry entries and changes to memory are recorded.
  • If an unknown file is then to be later classified as bad, the solution is able to automatically roll back all of the changes that have occurred as recorded in the journaling.

When a known ransomware variant is downloaded, it will automatically be quarantined and prevented from executing. When a variant that has not been previously seen before is executed, its actions are monitored. When a file is later flagged as bad it is possible to then reverse its effects and encrypted files returned to their previous state.

Stop Ransomware in its tracks

Webroot endpoint protection laptop

Ransomware is growing in popularity because it has the ability to be indiscriminate. Any organisation, regardless of size, is a potential target. This is why attackers are spreading malware by any means possible. 

Fortunately, Cyberseer’s approach uses a combination of cutting edge technologies and human expertise to offer a truly intelligent and flexible defence that all organisations now require. 

Cyberseer leads a new era of business endpoint security with Webroot SecureAnywhere Endpoint Protection, by enabling organisations to disrupt advanced attacks, deploy the best prevention strategies and shift the power back to security teams. 

It shields businesses from infections on the endpoint within your network and stops malware from around the globe the moment they are discovered. Having a cost-effective cloud-based management solution running behavioural analysis on the endpoint with unique journaling and roll back features provides organisations with effective threat mitigation. 

Cyberseer’s threat detection and analysis service bridges the gaps in an organisations cyber defence system. Read more about our detection service and cyber security solutions.

These advanced technologies power our MSSP SOC Service offering: