Security Blogs


Working of Ransomware

Normally a malware automatically install itself on a computer and runs in background without showing its presence to user. It hides itself and steals the valuable information, But Ransomware is a special kind of Malware that does not hides itself and once it completes its encryption procedure or locks the computers it shows its presence by demanding a ransom.

Anatomy of Ransomware

Attackers Sends a Spam Email which bypass the victim’s spam filter and hit user’s inbox like a normal email.

Victim Opens a Spam Email. This Email looks like that it has sent by the official email account.

The email either contains a website link or attachment which can be docx, zip, javascript file etc.

In case email contains a website link, once the user clicks that website link, it redirects victim to malicious website that contain an exploit kit. This exploit kit scans your computer to find the vulnerability. The exploit kit exploits that vulnerability by downloading a malicious binary like malicious.exe or etc  file on victim machine and automatically start its execution.

In case email contains an attachment. The attachment is actually a malicious file. The user download the file and run it

This malicious.exe launches the legitimate child processes like cmd.exe, Power shell, VSSasdmin.

To limit the possible recovery of files by the victim The VSSasdmin delete existing shadows on the victim machine and create new ones to hide in.

The executable file also searches the file system for the files with the specific extensions and start the process of ecrypting those files

The child process called powershell.exe creates duplicates the originating malware binary three times, In AppData directory, Start directory, root C: director. These three copies combines with the registry modifications to restart the malware it systems goes into reboot state.

Once encryptions process completes an encryption key is sent to command and control server.

The server then sends a message to the victim which demand a ransom to decrypt his files.

Leave a Reply

Your email address will not be published. Required fields are marked *